tcpdump mailing list archives
Re: When will a packet filter be ignored/unused?
From: Jim Lloyd <jlloyd () silvertailsystems com>
Date: Wed, 17 Mar 2010 10:54:33 -0700
On Tue, Mar 16, 2010 at 4:40 PM, Jim Lloyd <jlloyd () silvertailsystems com>wrote:
I have a working application using libpcap that doesn't always filter as I expect. The application is designed to sniff http traffic, so the filter can be as simple as "tcp port 80". However, we allow sniffing multiple http servers running on different ports, so it is common to use a filter like "tcp and (port 80 or port 8080)". Because of this, when sniffing a single port, the filter we use will look like "tcp and (port 80)". This filter seems to work correctly "most" of the time, but in varying situations we start to see packets where neither the source port or the destination port matches the specified port. Until today, I only noticed this for relatively high volume packet sniffing (say 250mbps). But now I am seeing it on one of our machines with a relatively modest volume of traffic (about 18mbps). I imagine it might be driver specific, and now I see that the ethernet interfaces on the servers I have available for testing have a more diverse set of drivers than I was aware. Using ethtool and checking a few different interfaces, I see drivers bnx2, tg3, and forcedeth. I seem to be having problems with bnx2. Is this a known issue? No error code is returned when we compile and install the filter. Is there any way to determine if a filter is being ignored?
It turns out I was mistaken. An error code of -3 is being returned by pcap_setfilter. Instead of checking for a function result of 0, and assuming anything else was an error, my code was checking for a function result of -1, and assuming anything else was success. My bad. So, what does an error code of -3 indicate? I've skimmed the source code and haven't found a path where -3 would be returned. I've done some experimentation and determined that apparently I must call pcap_activate before calling pcap_setfilter. That is counter intuitive, so I wonder if it is by design or not. FYI this is all on linux, using kernel 2.6.18, and using the recently release libpcap 1.1. Thanks, Jim Lloyd - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- When will a packet filter be ignored/unused? Jim Lloyd (Mar 16)
- Re: When will a packet filter be ignored/unused? Darren Reed (Mar 16)
- Re: When will a packet filter be ignored/unused? Michael Richardson (Mar 16)
- Re: When will a packet filter be ignored/unused? Jim Lloyd (Mar 17)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 17)
- Re: When will a packet filter be ignored/unused? Eloy Paris (Mar 18)
- Re: When will a packet filter be ignored/unused? Jim Lloyd (Mar 18)
- Re: When will a packet filter be ignored/unused? Eloy Paris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 17)