tcpdump filter not functioning correctly with igb on FreeBSD 11.1

David Athay davida at truespeed.com
Tue Feb 6 17:38:12 UTC 2018 

I am running tcpdump -ni igb0 with a filter, and I see some weird results.

If I use ‘not’ with host or port then it shows only those hosts or ports, and if I don’t use not, and just use host’ or ‘port’ it filters them out as if I had used ‘not’.

tcpdump -ni igb0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:18:08.863067 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq 521876235:521876423, ack 2066644163, win 1026, options [nop,nop,TS val 554193435 ecr 716910521], length 188
17:18:08.864772 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win 23656, options [nop,nop,TS val 716910525 ecr 554193434], length 0
17:18:08.866353 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, win 23651, options [nop,nop,TS val 716910526 ecr 554193435], length 0

tcpdump -ni igb0 not host X.X.X.X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:20:21.901147 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq 521879011:521879199, ack 2066645503, win 1026, options [nop,nop,TS val 554326474 ecr 717043360], length 188
17:20:21.902970 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win 23656, options [nop,nop,TS val 717043364 ecr 554326472], length 0
17:20:21.903364 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, win 23650, options [nop,nop,TS val 717043364 ecr 554326474], length 0

tcpdump -ni igb0 host X.X.X.X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
55 packets received by filter
0 packets dropped by kernel

tcpdump -ni igb0 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
408 packets received by filter
0 packets dropped by kernel

Seems to work fine on our FreeBSD 10.3 servers that use igb, and doesn’t happen on FreeBSD 11.1 servers that use bge.

Can anyone explain what is happening?

—
David Athay
Senior DevOps Engineer
TrueSpeed Communications Ltd.

More information about the freebsd-net mailing list