tcpdump filter (mis)behaviour

Hollinch · March 16, 2011, 6:33pm

Hello, I am a bit puzzled. I am trying to capture data using tcpdump on a bonded interface, which works fine until I add a filter, then nothing is seen nor captured by libpcap/tcpump.

I have interfaces eth3 and eth4 bonded to bond0 because I am using a tap in a firewall connection to monitor all in and outgoing traffic.

All is fine if I just run tcpdump on the bond0 interface - all traffic is correctly shown. As soon as I specify a filter nothing seems to be seen nor captured anymore.

Some examples of command lines I tried:

/usr/local/sbin/tcpdump -i bond0 -nn tcp port 80
/usr/local/sbin/tcpdump -i bond0 -nn tcp port http

For example, without filters output is shown as here (and http traffic was seen to be present):

root@lins01:~# /usr/local/sbin/tcpdump -i bond0 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
23:07:30.871053 IP 192.168.192.239.22 > 192.168.192.1.58229: Flags [P.], ack 2019718192, win 382, options [nop,nop,TS val 1091628665 ecr 724203], length 112
23:07:30.871291 IP 192.168.192.239.22 > 192.168.192.1.58229: Flags [P.], ack 1, win 382, options [nop,nop,TS val 1091628665 ecr 724203], length 112
23:07:30.871540 IP 192.168.192.239.22 > 192.168.192.1.58229: Flags [P.], ack 1, win 382, options [nop,nop,TS val 1091628665 ecr 724203], length 192
23:07:30.871553 IP 192.168.192.239.22 > 192.168.192.1.58229: Flags [P.], ack 1, win 382, options [nop,nop,TS val 1091628665 ecr 724203], length 192
23:07:30.892570 IP 192.168.192.1.58229 > 192.168.192.239.22: Flags [.], ack 112, win 6032, options [nop,nop,TS val 724205 ecr 1091628665], length 0
23:07:30.892773 IP 192.168.192.239.22 > 192.168.192.1.58229: Flags [P.], ack 1, win 382, options [nop,nop,TS val 1091628670 ecr 724205], length 384
23:07:30.892780 IP 192.168.192.239.22 > 192.168.192.1.58229: Flags [P.], ack 1, win 382, options [nop,nop,TS val 1091628670 ecr 724205], length 192

With a valid filter specified it sits forever, and finally when I terminate tcpdump it shows 0 packets captured, 0 packets received by filter and 0 packets dropped by kernel. As if no traffic of the specified nature was present, while I am certain it is.

The OS is Debian 5.0.8, with tcpdump version 3.9.8 and libpcap version 0.9.8. I also tried to upgrade to tcpdump 4.0.0 and libpcap 1.0.0, but the result is the same.

I tried to remove the bond and just monitor on one of the individual interfaces, but this still did not produce any results with filters specified (without filters I correctly see half of my traffic, send or receive, depending on which interface I select).

Anyone has any suggestions what to try to get filters working?

Many thanks in advance for your help.

Corona688 · March 16, 2011, 6:43pm

Could you show an example of the filter you're using?

Hollinch · March 17, 2011, 7:30am

As above,

tcp port 80
tcp port http

Or simply
port 80
or
port 22
Etc

---------- Post updated at 12:30 PM ---------- Previous update was at 12:53 AM ----------

Just thinking. If tcpdump and libpcap are not at fault here (as I have used two different versions of both with the same result), the only thing remaining would be the network card driver I suppose. Can this be of influence in this behaviour? I would expect not, as the filter applies to libpcap, but...?

Thanks

Hollinch · March 21, 2011, 9:56am

OK I found it, with Google's help...

Apparently I need to add 'vlan and ...' to my filter expression when VLANs are used. Without filter expression, tcpdump and libpcap just output everything, but as soon as filters are specified, the vlan tagging needs to be specified.

See here Blog St�phane Bortzmeyer: Un exemple de panne amusante de tcpdump

Hope it is useful to others as well.

fpmurphy · March 21, 2011, 8:26pm

Thanks for updating us with the solution.