Hi Jim it seems to be working in our lab on the same OS: # ./tcpdump -i enp0s17 -nn -c 10 'port 22' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s17, link-type EN10MB (Ethernet), capture size 262144 bytes 15:59:46.589097585 IP 192.168.1.4.22 > 192.168.1.234.54307: Flags [P.], seq 2056669083:2056669271, ack 3447617263, win 634, options [nop,nop,TS val 4294927894 ecr 224003549], length 188 15:59:46.589311703 IP 192.168.1.234.54307 > 192.168.1.4.22: Flags [.], ack 188, win 4090, options [nop,nop,TS val 224003752 ecr 4294927894], length 0 15:59:46.589591003 IP 192.168.1.4.22 > 192.168.1.234.54307: Flags [P.], seq 188:560, ack 1, win 634, options [nop,nop,TS val 4294927895 ecr 224003752], length 372 15:59:46.589749360 IP 192.168.1.234.54307 > 192.168.1.4.22: Flags [.], ack 560, win 4084, options [nop,nop,TS val 224003752 ecr 4294927895], length 0 15:59:46.589864810 IP 192.168.1.4.22 > 192.168.1.234.54307: Flags [P.], seq 560:916, ack 1, win 634, options [nop,nop,TS val 4294927895 ecr 224003752], length 356 15:59:46.589973993 IP 192.168.1.234.54307 > 192.168.1.4.22: Flags [.], ack 916, win 4084, options [nop,nop,TS val 224003752 ecr 4294927895], length 0 15:59:46.590173023 IP 192.168.1.4.22 > 192.168.1.234.54307: Flags [P.], seq 916:1272, ack 1, win 634, options [nop,nop,TS val 4294927895 ecr 224003752], length 356 15:59:46.590253672 IP 192.168.1.234.54307 > 192.168.1.4.22: Flags [.], ack 1272, win 4084, options [nop,nop,TS val 224003753 ecr 4294927895], length 0 15:59:46.590390756 IP 192.168.1.4.22 > 192.168.1.234.54307: Flags [P.], seq 1272:1628, ack 1, win 634, options [nop,nop,TS val 4294927896 ecr 224003753], length 356 15:59:46.590477507 IP 192.168.1.234.54307 > 192.168.1.4.22: Flags [.], ack 1628, win 4084, options [nop,nop,TS val 224003753 ecr 4294927896], length 0 10 packets captured 10 packets received by filter 0 packets dropped by kernel
# ./tcpdump -i enp0s17 -nn -c 10 'not port 22' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s17, link-type EN10MB (Ethernet), capture size 262144 bytes 16:00:05.484731325 IP 192.168.1.234.57621 > 192.168.1.255.57621: UDP, length 44 16:00:06.571968816 LLDP, length 104: (none).(none) ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel # uname -a Linux Host-001 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/centos-release CentOS Linux release 7.2.1511 (Core) Please open an issue at https://github.com/ntop/PF_RING/issues to track this. Thank you Alfredo > On 09 May 2016, at 17:51, Jim Hranicky <[email protected]> wrote: > > It seems that with the latest version of PF_RING, I'm having > trouble getting the BPF filters to work, at least on RHEL 7. > > With normal tcpdump : > > % tcpdump -i enp4s0 -nn -c 10 'port 22' > tcpdump: WARNING: enp4s0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on enp4s0, link-type EN10MB (Ethernet), capture size 65535 bytes > 17:50:00.338419 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.60212: Flags [.], seq > 2354062218:2354063678, ack 800994694, win 2380, length 1460 > 17:50:00.338438 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq > 652703376:652703456, ack 606406036, win 5657, length 80 > 17:50:00.338466 IP XX.XX.XX.XX.64833 > XX.XX.XX.XX.22: Flags [.], ack 0, > win 255, length 0 > 17:50:00.338482 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.60212: Flags [.], seq > 1460:8760, ack 1, win 2380, length 7300 > 17:50:00.339772 IP XX.XX.XX.XX.60212 > XX.XX.XX.XX.22: Flags [P.], seq > 1:69, ack 32872, win 10519, length 68 > 17:50:00.339786 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq > 480:560, ack 1, win 5657, length 80 > 17:50:00.339789 IP XX.XX.XX.XX.64833 > XX.XX.XX.XX.22: Flags [.], ack 480, > win 253, length 0 > 17:50:00.339953 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq > 560:640, ack 1, win 5657, length 80 > 17:50:00.340376 IP XX.XX.XX.XX.22 > XX.XX.XX.XX.64833: Flags [P.], seq > 640:720, ack 1, win 5657, length 80 > 17:50:00.340382 IP XX.XX.XX.XX.64833 > XX.XX.XX.XX.22: Flags [.], ack 640, > win 252, length 0 > 10 packets captured > 895 packets received by filter > 795 packets dropped by kernel > > With PF_RING's tcpdump : > > % /opt/pf/sbin/tcpdump -i enp4s0 -nn -c 10 'port 22' > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on enp4s0, link-type EN10MB (Ethernet), capture size 262144 bytes > 21:50:05.398683938 IP XX.XX.XX.XX.80 > XX.XX.XX.XX.53190: Flags [.], seq > 3437247066:3437255826, ack 3263609792, win 513, length 8760 > 21:50:05.398703325 IP XX.XX.XX.XX.443 > XX.XX.XX.XX.56136: Flags [.], seq > 1570714451:1570725683, ack 3907642189, win 273, length 11232 > 21:50:05.398712933 IP XX.XX.XX.XX.65125 > XX.XX.XX.XX.80: Flags [.], seq > 2597100314:2597101774, ack 535663878, win 63855, length 1460 > 21:50:05.398721319 IP XX.XX.XX.XX.50271 > XX.XX.XX.XX.59307: Flags [.], > seq 1379174102:1379181402, ack 3144835430, win 32768, length 7300 > 21:50:05.398728562 IP XX.XX.XX.XX.443 > XX.XX.XX.XX.57125: UDP, length 1453 > 21:50:05.398732652 IP XX.XX.XX.XX.443 > XX.XX.XX.XX.57125: UDP, length 1453 > 21:50:05.398736106 IP XX.XX.XX.XX.80 > XX.XX.XX.XX.36922: Flags [.], seq > 308270661:308272109, ack 565323857, win 2050, options [nop,nop,TS val > 2804111279 ecr 225559], length 1448 > 21:50:05.398739251 IP XX.XX.XX.XX.59307 > XX.XX.XX.XX.50271: Flags [.], > ack 4294798264, win 12285, length 0 > 21:50:05.398740596 IP XX.XX.XX.XX.52813 > XX.XX.XX.XX.80: Flags [.], ack > 3304701303, win 11946, options [nop,nop,TS val 1567099780 ecr > 576135852,nop,nop,sack 1 {1449:60817}], length 0 > 21:50:05.398743104 IP XX.XX.XX.XX.52813 > XX.XX.XX.XX.80: Flags [.], ack > 1, win 11946, options [nop,nop,TS val 1567099780 ecr 576135852,nop,nop,sack 1 > {1449:62265}], length 0 > 10 packets captured > 10 packets received by filter > 0 packets dropped by kernel > > RH Ver : 3.10.0-327.13.1.el7.x86_64 > PF_RING Ver : > > PF_RING Version : 6.3.0 > (dev:d568ce59908fd0021ec7910b0563db191301e61c) > Total rings : 1 > > Standard (non DNA/ZC) Options > Ring slots : 4096 > Slot version : 16 > Capture TX : Yes [RX+TX] > IP Defragment : No > Socket Mode : Standard > Total plugins : 0 > Cluster Fragment Queue : 0 > Cluster Fragment Discard : 0 > > There seems to be an open issue here for the same thing : > > https://github.com/ntop/ntopng/issues/343 > > Any ideas? > > -- > Jim Hranicky > Data Security Specialist > UF Information Technology > 105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826 > 352-273-1341 > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
