Re: [tcpdump-workers] Werid bug in a recent tcpdump with ESP de-selection

Fri, 01 Jun 2001 08:51:45 -0700 

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Hugh" == Hugh Daniel <[EMAIL PROTECTED]> writes:
    Hugh>   Here is a strange little problem I am seeing in a recent (see
    Hugh> version run at the end of the examples).  I can venture a guess that
    Hugh> something is slightly wrong with the pattern matching system that lets
    Hugh> something less then 200 packets though before working.  It is a bit
    Hugh> weird.

  It took me a moment to fully grok that the pattern should capture no ESP
packets. 
  
    Hugh> root@ahost# tcpdump -i eth0 not  esp and not arp and not port ssh
    Hugh> tcpdump: listening on eth0
    Hugh> 00:52:14.431631 east.toad.com > west.toad.com: 
ESP(spi=0xa4c9567f,seq=0x6b207e8)
    Hugh> 00:52:14.431636 west.toad.com > east.toad.com: 
ESP(spi=0xce407ddb,seq=0x6b2e566)
    Hugh> 00:52:14.431754 west.toad.com > east.toad.com: 
ESP(spi=0xce407ddb,seq=0x6b2e567)
    Hugh> ...
    Hugh> 00:52:14.442606 west.toad.com > east.toad.com: 
ESP(spi=0xce407ddb,seq=0x6b2e5b2)
    Hugh> 00:52:14.442679 west.toad.com > east.toad.com: 
ESP(spi=0xce407ddb,seq=0x6b2e5b3)
    Hugh> 00:52:14.442683 east.toad.com > west.toad.com: 
ESP(spi=0xa4c9567f,seq=0x6b20835)
    Hugh> ^C

    Hugh> 158 packets received by filter
    Hugh> 0 packets dropped by kernel

  I take it that this is reproduceable?
  How about running with -w for a bit, and then seeing if:
      tcpdump -r filename not esp 
 
  shows anything? tcpdump -r filtering would use the internal BPF based
filtering rather than pcap-linux.c directly. My guess is that the Linux
kernel filtering may be stomping on themselves randomly.... 

  What kernel version?

Canadian Commuter Challenge Project -- GNU Potato Caboose 
Michael Richardson, Sandelman Software Works, Ottawa, ON  
EMAIL: [EMAIL PROTECTED]
for help, email or page at 1-866-231-8608




-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface

iQCVAwUBOxe5m4qHRg3pndX9AQGbPgQA2FK5fQcWC5PWzReBmLYj0MReP9B1GpOu
Tte2o4/z8V9OkNGvfw9cWQ9Ch/Pq9zCrZbFZo6IGKPdmmVZikdWAwtm+Z1yI4FNw
cXpddeyDbV/tD7V26sjJc1ZfnWxBFvBn1QxaBUFLeoC8r2NC/dqRQLyn6fFthi+r
5C4IrKRTsLM=
=0p3N
-----END PGP SIGNATURE-----
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to