When will a packet filter be ignored/unused?

[Jim Lloyd <jlloyd () silvertailsystems com>]

I have a working application using libpcap that doesn't always filter as I
expect. The application is designed to sniff http traffic, so the filter can
be as simple as "tcp port 80". However, we allow sniffing multiple http
servers running on different ports, so it is common to use a filter like
"tcp and (port 80 or port 8080)". Because of this, when sniffing a single
port, the filter we use will look like "tcp and (port 80)".

This filter seems to work correctly "most" of the time, but in varying
situations we start to see packets where neither the source port or the
destination port matches the specified port. Until today, I only noticed
this for relatively high volume packet sniffing (say 250mbps). But now I am
seeing it on one of our machines with a relatively modest volume of traffic
(about 18mbps).

I imagine it might be driver specific, and now I see that the ethernet
interfaces on the servers I have available for testing have a more diverse
set of drivers than I was aware. Using ethtool and checking a few different
interfaces, I see drivers bnx2, tg3, and forcedeth. I seem to be having
problems with bnx2. Is this a known issue?

No error code is returned when we compile and install the filter. Is there
any way to determine if a filter is being ignored?

Thanks,
Jim Lloyd
Silver Tail Systems
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.