Menu

#139 filter on src host does not work

Git head
closed
nobody
Interface (example) (7)
5
2013-11-20
2010-08-05
Erhan Sen
No

using: tcpdump 4.1.1 and libpcap 1.1.1

I tried to filter out my capture file trough tcpdump to display only the tcp connections between 1.1.1.1 to 2.2.2.2 (ips are just ie) by using the filter commands below:
tcpdump -r file.pcap src host 1.1.1.1 or dst host 1.1.1.1
and also
host 1.1.1.1

For some reason it only displays 1.1.1.1 host on the destination side (2.2.2.2 -> 1.1.1.1) and does keep the 1.1.1.1 on the source side. (1.1.1.1 -> 2.2.2.2)

I could not find this bug on this but I would appreciate if you culd point me if there is any work around for this bug. thanks

Discussion

  • Guy Harris

    Guy Harris - 2010-08-09

    Can you provide a capture file that shows this behavior? I tried it on an Ethernet capture and it worked.

    If you can't - for example, if you can't make the network traffic public - then:

    1) On what type of network (Ethernet, 802.11, etc.) was the capture done?

    2) On what version of what operating system was the capture done?

    3) If it was done on a network that supports VLANs, such as an Ethernet, are VLANs being used on that network?

    (Note that "on what ... was the capture done" asks about the machine on which you did the capture into the file.pcap file, not about the machine on which you're trying to read that file if the two machines are different.)

     

  • Erhan Sen

    Erhan Sen - 2010-08-11

    Hi,

    Thanks for the comment. Unfortunately the captures are not publicly available due to information it contains.

    1) Capture was done through Endace dag (d92x) card on Ethernet II.
    2) Capture was done on Centos 5.4
    3) VLANs are used onthe network but I tried vlan option on the sniff filter as well and didnt work..

    Here is the packet info from Wireshark that might give you some more info you need (ip, mac and payload are changed to ???)

    No. Time Source Destination Protocol Info
    3031 0.612059 1.1.1.1 2.2.2.2 FIX OrderCancelReplaceRequest

    Frame 3031 (315 bytes on wire, 315 bytes captured)
    Arrival Time: Aug 4, 2010 09:39:51.472581000
    [Time delta from previous captured frame: 0.000035000 seconds]
    [Time delta from previous displayed frame: 0.612059000 seconds]
    [Time since reference or first frame: 0.612059000 seconds]
    Frame Number: 3031
    Frame Length: 315 bytes
    Capture Length: 315 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp:fix]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
    Ethernet II, Src: Cisco_ww: ?????, Dst: Cisco_ww: ?????
    Destination: Cisco_d8 ?????
    Address: Cisco_d8 ?????
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Cisco_fd ?????
    Address: Cisco_fd ?????
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Internet Protocol, Src: 1.1.1.1 (1.1.1.1), Dst: 2.2.2.2 (2.2.2.2)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 301
    Identification: 0x153f (5439)
    Flags: 0x02 (Don't Fragment)
    0.. = Reserved bit: Not Set
    .1. = Don't fragment: Set
    ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x78da [correct]
    [Good: True]
    [Bad : False]
    Source: 1.1.1.1 (1.1.1.1)
    Destination: 2.2.2.2 (2.2.2.2)
    Transmission Control Protocol, Src Port: embrace-dp-s (3197), Dst Port: 9855 (9855), Seq: 2094, Ack: 2491, Len: 261
    Source port: embrace-dp-s (3197)
    Destination port: 9855 (9855)
    [Stream index: 14]
    Sequence number: 2094 (relative sequence number)
    [Next sequence number: 2355 (relative sequence number)]
    Acknowledgement number: 2491 (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
    0... .... = Congestion Window Reduced (CWR): Not set
    .0.. .... = ECN-Echo: Not set
    ..0. .... = Urgent: Not set
    ...1 .... = Acknowledgement: Set
    .... 1... = Push: Set
    .... .0.. = Reset: Not set
    .... ..0. = Syn: Not set
    .... ...0 = Fin: Not set
    Window size: 64289
    Checksum: 0x8868 [validation disabled]
    [Good Checksum: False]
    [Bad Checksum: False]
    [SEQ/ACK analysis]
    [This is an ACK to the segment in frame: 3027]
    [The RTT to ACK the segment was: 0.000323000 seconds]
    [Number of bytes in flight: 261]
    [PDU Size: 261]

    Thanks.

     

  • Guy Harris

    Guy Harris - 2010-08-11

    So that's one of the packets that "tcpdump host 1.1.1.1" *doesn't* print?

     

  • Erhan Sen

    Erhan Sen - 2010-08-11

    Correct.

     

  • Erhan Sen

    Erhan Sen - 2010-10-04

    Hi Guy,

    Where you able to look in to this issue? Let me know if I can provide you with more info.

     

  • Denis Ovsienko

    Denis Ovsienko - 2013-11-20
    • status: open --> closed
    • Group: --> Git head
     

  • Denis Ovsienko

    Denis Ovsienko - 2013-11-20

    Administrators of the "libpcap" SourceForge project have superseded this tracker item (formerly artifact 3040174, now bug 139) with issue 141 of the "libpcap" GitHub project.

     
MongoDB Logo MongoDB