0

I have a strange problem with tcpdump - it's like the filter I want to be applied to captured packets doesn't work instantly. Maybe it's perfectly normal but to be honest I've never seen this before. Here's an example :

tcpdump -i ife0 -n not udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ife0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
08:23:24.720889 IP 10.0.21.67.45892 > 10.2.32.7.667: UDP, length 37
08:23:24.721170 IP 10.2.32.7.5778 > 10.0.21.67.45892: UDP, length 10

This doesn't happen every time, sometimes I see 2 packets, sometimes more. ife0 is a GRE interface (not much traffic, small UDP packets, usually ~150 pps). I'm using tcpdump version 4.1-PRE-CVS_2015_07_23 with libpcap version 1.4.0

aqz
  • 53
  • 1
  • 4
  • What happen if you use libpcap 1.7.0 and tcpdump 4.7.0, which are reasonably current versions as opposed to several-year-old versions? –  Feb 10 '16 at 07:57
  • It's newest version CentOS 6 provides, and I haven't had this kind of problem with tcpdump version 3.9.8 and libpcap 0.9.8 which are even older. – aqz Feb 10 '16 at 08:02
  • "It's newest version CentOS 6 provides" Nothing requires you to use the version CentOS 6 provides; you can download the source to newer versions (the current ones are actually 1.7.4 and 4.7.4, rather than 1.7.0 and 4.7.0) from www.tcpdump.org, compile them, and test them. –  Feb 10 '16 at 18:46
  • "and I haven't had this kind of problem with tcpdump version 3.9.8 and libpcap 0.9.8 which are even older" You're assuming that changes to libpcap can't *introduce* issues such as this, and the code path for receiving packets changed *quite* significantly between the .9 releases and the 1.0 release, in ways that *did* introduce some issues wherein you'd see a few packets that don't match the filter when the capture starts; those were fixed in a later release. –  Feb 10 '16 at 18:49
  • "Nothing requires you to use the version CentOS 6 provides; you can download the source to newer versions" - nope - not on this particular machine, I can't unfortunately. – aqz Feb 11 '16 at 07:37

0 Answers0