Re: odd issue with Linux VLAN interface

[Denis Ovsienko <denis () ovsienko info>]

[...]

> If IPv4 Protocol is TCP, go to 10, else go to 11 
>  
> > (010) ret      #0 
>  
> Reject packet 
>  
> > (011) ret      #262144 
>  
> Accept packet 
>  
> So that *looks* OK. 

Thank you for the analysis!

>  
> Could you run "tcpdump -i eth0 -xx not tcp" and see what the contents of the TCP packets being accepted are? 

I have to correct myself: "tcpdump -pni eth0 not tcp" actually yields both TCP and everything else (ARP and UDP). It 
turns out that during all previous runs that "everything else" just didn't make it to the screen because of timing. Now 
it does, please see:

root@homepc:~# tcpdump -pni eth0 -xx not tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:56:19.466860 IP 109.74.202.168.6633 > 10.0.75.2.56538: Flags [.], ack 2668283334, win 235, options [nop,nop,TS val 
521910355 ecr 1688339], length 0
        0x0000:  d4ca 6d72 b1da 000f ea18 f623 8100 004b
        0x0010:  0800 4500 0034 dd1d 4000 3406 dcb1 6d4a
        0x0020:  caa8 0a00 4b02 19e9 dcda 6f36 d02b 9f0a
        0x0030:  c5c6 8010 00eb b34a 0000 0101 080a 1f1b
        0x0040:  b853 0019 c313
00:56:20.332325 ARP, Request who-has 10.0.75.3 tell 10.0.75.254, length 28
        0x0000:  d4ca 6d66 cf65 000f ea18 f623 8100 004b
        0x0010:  0806 0001 0800 0604 0001 000f ea18 f623
        0x0020:  0a00 4bfe 0000 0000 0000 0a00 4b03

It looks like the filter just has no effect at all, as "tcpdump -pni eth0 not arp" also delivers a similar mix of 
packets including ARP.

> And what does "tcpdump -v" print?  Was it built with the latest libpcap?  This might be an issue with the kernel and 
> libpcap not properly working together to deal with VLAN tags - this commit: 
>  
>     commit 04660eb1e56102e2369473cae2538e4d3d263607 
>     Author: Michal Sekletar <msekleta () redhat com> 
>     Date:   Fri Oct 31 15:19:54 2014 +0100 
>  
>         Use BPF extensions in compiled filters 
>      
>         libpcap will generate BPF filter code which uses BPF extensions if target 
>         platform supports them. Currently supported BPF extensions are vlan_tci and 
>         vlan_pr. 
>      
>         Also to properly handle such filters when filtering in userspace libpcap now 
>         employs bpf_filter1. 
>  
> fixed some issues there. 
>  

It is today's master branch build of both:

root@homepc:~# tcpdump --version
tcpdump version 4.7.0-PRE-GIT_2015_01_28
libpcap version 1.7.0-PRE-GIT_2015_01_28
OpenSSL 1.0.1f 6 Jan 2014

This Ubuntu host has no BPF extensions:

denis@homepc:~/libpcap$ fgrep -r SO_BPF_EXT /usr/include/
denis@homepc:~/libpcap$ 

If this is a new bug, I can file it if it helps.

-- 
    Denis Ovsienko

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers