On Tue, Jul 21, 2020 at 10:02:55AM +1000, David Gwynne wrote: > kn@ pointed me at this, and we came up with the following. firstly, we > narrowed the problem down to pcap not actually looking at the header to > decide if a packet was ipv4 or ipv6: dlg did the hard work, really - without him I'd probably have spent hours reading through code.
> our tunnel interfaces pretty much all use DLT_LOOP as their link type, > so this behaviour is consistent across all of them. > > why the filter unconditionally matches these packets is because of > this stuff in src/lib/libpcap/gencode.c. im including bits for DLT_NULL > for comparison: > DLT_LOOP does have a link type header though, so we should fix > init_linktypes. this is backed up by > https://www.tcpdump.org/linktypes.html. tl;dr: DLT_NULL is for loopback interfaces but host byte order, so sharing pcap files across different endian machines is problematic. DLT_LOOP is network byte order and does not suffer from this, but seems OpenBSD specific. > this diff seems to work ok: You can compare behaviour more easily like this: $ cd /usr/src/lib/libpcap $ make # LD_LIBRARY_PATH=./obj tcpdump -i lo0 -d ip # tcpdump -i lo0 -d ip OK kn
