On Jan 27, 2015, at 4:28 PM, Denis Ovsienko <de...@ovsienko.info> wrote:
>
>> I.e., "tcpdump -i eth0 not tcp" prints *only* TCP packets?
>
> Yes, exactly. Just checked once again.
>
>> Just out of curiosity, what does "tcpdump -i eth0 -d not tcp" print?
>
> root@homepc:~# tcpdump -pni eth0 -d not tcp
> (000) ldh [12]
> (001) jeq #0x86dd jt 2 jf 7
If ethertype == IPv6, go to 2, else go to 7
> (002) ldb [20]
> (003) jeq #0x6 jt 10 jf 4
If IPv6 Next Header is TCP, go to 10, else go to 4
> (004) jeq #0x2c jt 5 jf 11
If IPv6 Next Header is Fragment Header, go to 5, else go to 11
> (005) ldb [54]
> (006) jeq #0x6 jt 10 jf 11
If header after that is TCP, go to 10, else go to 11
> (007) jeq #0x800 jt 8 jf 11
If ethertype == IPv4, go to 8, else go to 11
> (008) ldb [23]
> (009) jeq #0x6 jt 10 jf 11
If IPv4 Protocol is TCP, go to 10, else go to 11
> (010) ret #0
Reject packet
> (011) ret #262144
Accept packet
So that *looks* OK.
Could you run "tcpdump -i eth0 -xx not tcp" and see what the contents of the
TCP packets being accepted are?
And what does "tcpdump -v" print? Was it built with the latest libpcap? This
might be an issue with the kernel and libpcap not properly working together to
deal with VLAN tags - this commit:
commit 04660eb1e56102e2369473cae2538e4d3d263607
Author: Michal Sekletar <msekl...@redhat.com>
Date: Fri Oct 31 15:19:54 2014 +0100
Use BPF extensions in compiled filters
libpcap will generate BPF filter code which uses BPF extensions if
target
platform supports them. Currently supported BPF extensions are
vlan_tci and
vlan_pr.
Also to properly handle such filters when filtering in userspace
libpcap now
employs bpf_filter1.
fixed some issues there.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
