Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Misc
PF_RING 6.4.1/6.5.0 Not respecting BPF filtering?
dn1nj4 at gmail
Jan 19, 2017, 8:58 AM
Post #1 of 3 (655 views)
Permalink
Good day all,

Yesterday I discovered a problem on Ubuntu 16.04.1 (kernel 4.4.0-59) and
I'm hoping someone can help make sense of it. Both 6.4.1 and 6.5.0
(vanilla) do not seem to be honoring BPF filters. In the below example,
you can see I'm filtering for only port 22 packets and piping that into a
second capture filtering for anything not port 22. This should not produce
results. It only seems to happen at the beginning of a capture process.
In testing within a few seconds the filters seem to begin working
correctly. In 6.0.2 on Ubuntu 12.04 I don't see this problem.

admin@ubuntu:~$ sudo tcpdump -nn -i eth0 -w - port 22 | tcpdump -ttttt -nn
-r - not port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
262144 bytes
reading from file -, link-type EN10MB (Ethernet)
00:00:00.000000 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq
2650108171:2650109619, ack 73754825, win 520, options [nop,nop,TS val
358340136 ecr 93575], length 1448: HTTP
00:00:00.000013 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq
1448:2896, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575],
length 1448: HTTP
00:00:00.000020 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack
2896, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
00:00:00.000032 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq
2896:4096, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575],
length 1200: HTTP
00:00:00.000035 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq
4096:5544, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575],
length 1448: HTTP
00:00:00.000039 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack
5544, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
00:00:00.000046 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq
5544:6992, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575],
length 1448: HTTP
00:00:00.000047 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq
6992:8192, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575],
length 1200: HTTP
00:00:00.000049 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack
8192, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
00:00:00.000173 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq
8192:9520, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575],
length 1328: HTTP
00:00:00.000230 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack
9520, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0

Let me know if there's any additional debugging information I can provide
that would assist.

Thanks!
Jason
Re: PF_RING 6.4.1/6.5.0 Not respecting BPF filtering? [ In reply to ]
cardigliano at ntop
Jan 19, 2017, 9:45 AM
Post #2 of 3 (655 views)
Permalink
Hi Jason
I think this this due to libpcap which is activating the socket before setting the bpf filter,
thus you receive packets in that window. I am trying to avoid this somehow.

Jason

> On 19 Jan 2017, at 17:58, Jason <dn1nj4@gmail.com> wrote:
>
> Good day all,
>
> Yesterday I discovered a problem on Ubuntu 16.04.1 (kernel 4.4.0-59) and I'm hoping someone can help make sense of it. Both 6.4.1 and 6.5.0 (vanilla) do not seem to be honoring BPF filters. In the below example, you can see I'm filtering for only port 22 packets and piping that into a second capture filtering for anything not port 22. This should not produce results. It only seems to happen at the beginning of a capture process. In testing within a few seconds the filters seem to begin working correctly. In 6.0.2 on Ubuntu 12.04 I don't see this problem.
>
> admin@ubuntu:~$ sudo tcpdump -nn -i eth0 -w - port 22 | tcpdump -ttttt -nn -r - not port 22
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> reading from file -, link-type EN10MB (Ethernet)
> 00:00:00.000000 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 2650108171:2650109619, ack 73754825, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP
> 00:00:00.000013 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 1448:2896, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP
> 00:00:00.000020 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 2896, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
> 00:00:00.000032 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq 2896:4096, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1200: HTTP
> 00:00:00.000035 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 4096:5544, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP
> 00:00:00.000039 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 5544, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
> 00:00:00.000046 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 5544:6992, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP
> 00:00:00.000047 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq 6992:8192, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1200: HTTP
> 00:00:00.000049 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 8192, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
> 00:00:00.000173 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq 8192:9520, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1328: HTTP
> 00:00:00.000230 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 9520, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
>
> Let me know if there's any additional debugging information I can provide that would assist.
>
> Thanks!
> Jason
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: PF_RING 6.4.1/6.5.0 Not respecting BPF filtering? [ In reply to ]
cardigliano at ntop
Jan 19, 2017, 1:44 PM
Post #3 of 3 (655 views)
Permalink
Hi Jason
there is a workaround for this, please check latest dev packages and let me know.

Thank you
Alfredo

> On 19 Jan 2017, at 18:45, Alfredo Cardigliano <cardigliano@ntop.org> wrote:
>
> Hi Jason
> I think this this due to libpcap which is activating the socket before setting the bpf filter,
> thus you receive packets in that window. I am trying to avoid this somehow.
>
> Jason
>
>> On 19 Jan 2017, at 17:58, Jason <dn1nj4@gmail.com> wrote:
>>
>> Good day all,
>>
>> Yesterday I discovered a problem on Ubuntu 16.04.1 (kernel 4.4.0-59) and I'm hoping someone can help make sense of it. Both 6.4.1 and 6.5.0 (vanilla) do not seem to be honoring BPF filters. In the below example, you can see I'm filtering for only port 22 packets and piping that into a second capture filtering for anything not port 22. This should not produce results. It only seems to happen at the beginning of a capture process. In testing within a few seconds the filters seem to begin working correctly. In 6.0.2 on Ubuntu 12.04 I don't see this problem.
>>
>> admin@ubuntu:~$ sudo tcpdump -nn -i eth0 -w - port 22 | tcpdump -ttttt -nn -r - not port 22
>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> reading from file -, link-type EN10MB (Ethernet)
>> 00:00:00.000000 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 2650108171:2650109619, ack 73754825, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP
>> 00:00:00.000013 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 1448:2896, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP
>> 00:00:00.000020 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 2896, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
>> 00:00:00.000032 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq 2896:4096, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1200: HTTP
>> 00:00:00.000035 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 4096:5544, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP
>> 00:00:00.000039 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 5544, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
>> 00:00:00.000046 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 5544:6992, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP
>> 00:00:00.000047 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq 6992:8192, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1200: HTTP
>> 00:00:00.000049 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 8192, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
>> 00:00:00.000173 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq 8192:9520, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1328: HTTP
>> 00:00:00.000230 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 9520, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0
>>
>> Let me know if there's any additional debugging information I can provide that would assist.
>>
>> Thanks!
>> Jason
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal