| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Oct 2014 00:58:42 +0200 From: Lukas Tribus <luky-37@...mail.com> To: "netdev@...r.kernel.org" <netdev@...r.kernel.org> CC: John Fastabend <john.r.fastabend@...el.com>, Michał Mirosław <mirq-linux@...e.qmqm.pl>, Jiri Pirko <jpirko@...hat.com>, Ben Hutchings <bhutchings@...arflare.com>, Atzm Watanabe <atzm@...atosphere.co.jp>, Patrick McHardy <kaber@...sh.net>, Jesse Gross <jesse@...ira.com> Subject: tcpdump's capture filter: "vlan" doesn't match Hi, since 2.6.39 (including -rc1), tcpdump "vlan" capture filters don't match anymore. All 2.6.38 and older kernels are fine. I reproduced this specifically on a r8169 NIC on 2.6.39-rc1, but I found this problem initially on bnx2 and e1000e nics. Howto reproduce: just tcpdump with a "not vlan", "vlan" or "vlan <vlanid>" capture filter on a passive eth interface (dot1q/vlan/ip config not necessary). Actual behavior is that a "vlan [vlanid]" capture filter doesn't match the (tagged) packet, and a "not vlan" capture filter matches everything. Disabling rx-vlan-offloading via ethtool -K eth0 rxvlan off doesn't change anything. Here we are filtering for "not vlan" and we can see that the matched frame is vlan tagged: # tcpdump -Uenc1 not vlan tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 22:03:39.077584 70:ca:9b:01:23:34> 00:18:f8:01:23:34, \ *ethertype 802.1Q (0x8100), length 70: vlan 7, p 0*, ethertype IPv4, \ 192.168.47.9.443> 192.168.32.30.39436: Flags [.], ack 255248912, \ [...] 1 packet captured 169 packets received by filter 0 packets dropped by kernel 59 packets dropped by interface # As suggested here [1], we can pipe everything through another tcpdump instance: tcpdump -Uw - | tcpdump -en -r - vlan <vlanid> But that is not something that works for my specific use-case (dedicated sniffer box, dedicated interface connected to a Cisco SPAN/mirror port, un/single/double-tagged packets, remotely accessible via remote-pcap [2]). The sniffer should also be able to: - maintain the frame as-is, including dot1q, dot1p (preferably without artificial recreation of header fields/values and including CFI/DEI) - "direct" capture filter based on vlan (not through multiple userspace instances) Kernel <= 2.6.38 perfectly satisfies those requirements. Isn't disabling rx-vlan-offloading supposed to remedy those problems? Thanks, Lukas [1] https://bugzilla.redhat.com/show_bug.cgi?id=498981 [2] https://github.com/frgtn/rpcapd-linux -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists