Solved

Tcpdump filter does not apply

Posted on 2009-05-18
18
657 Views
Last Modified: 2012-05-07
For some reason, my tcpdump filters are not functioning properly when using eth1. The same filters apply to eth0 without issues.
Nothing shows up in dmesg or /var/log/messages.
tcpdump version 3.9.4, libpcap version 0.9.4


/usr/sbin/tcpdump -i eth0 -n host 192.168.100.86
returns valid packets

/usr/sbin/tcpdump -i eth1 -n | grep 192.168.100.86
works, returns valid packets

/usr/sbin/tcpdump -i eth1 -n host 192.168.100.86
returns nothing, break gives
0 packets captured
"X" packets received by filter
0 packets dropped by kernel
0
Comment
Question by:timbrigham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 7
18 Comments
 
LVL 1

Author Comment

by:timbrigham
ID: 24414029
Additional info, filtering by destination.
I *should* see the packets with the 192.168.100.86 address using the filter, right?
/usr/sbin/tcpdump -i eth1 -n | grep 4.2.2.2
12:00:09.839973 IP 192.168.100.86 > 4.2.2.2: ICMP echo request, id 768, seq 19712, length 40
12:00:09.840100 IP 65.167.121.106 > 4.2.2.2: ICMP echo request, id 11045, seq 19712, length 40
12:00:09.855686 IP 4.2.2.2 > 65.167.121.106: ICMP echo reply, id 11045, seq 19712, length 40
12:00:09.855752 IP 4.2.2.2 > 192.168.100.86: ICMP echo reply, id 768, seq 19712, length 40
 
/usr/sbin/tcpdump -i eth1 -n dst host 4.2.2.2
11:59:35.615753 IP 65.167.121.106 > 4.2.2.2: ICMP echo request, id 11044, seq 19456, length 40
11:59:35.631495 IP 4.2.2.2 > 65.167.121.106: ICMP echo reply, id 11044, seq 19456, length 40

Open in new window

0
 
LVL 57

Expert Comment

by:giltjr
ID: 24414593
What distribution of Linux are you using?  Can you upgrade to a newer release of tcpdump?

Using dst host 4.2.2.2 you should see all packets leaving that interface going to that host.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 24414768
I'm running CentOS 5.3. I'll run another yum update to see if it resolves the issue.
I haven't found any CentOS RPMs for 4.0 / 1.0,  and installing from source is against company policy.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 57

Expert Comment

by:giltjr
ID: 24414847
You may want to try capturing to a file and see what happens, you don't need the -n when going to a file.  Then you can use something like wireshark to decode the file.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 24414905
I opened the dump file with an old copy of Ethereal. It only shows the packets from the public interfaces, same as tcpdump.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 24414961
I updated and rebooted the machine running tcpdump, no change.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24414982
What do you mean by "public" interfaces?

You may want to try using -i any see what you get and what interface (based on MAC address) it is going out on.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 24415035
Sorry, public IPs, not interfaces. Everything comes in through eth1. I always use the -i argument assigned to eth1.
tcpdump is running behind a tap concentrator connected to eth1 which pulls in data from both the inside and outside interfaces of a firewall.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24415262
Where is 192.168.100.86 on the network?  Is this PC on that subnet?  If so, which interface?
0
 
LVL 1

Author Comment

by:timbrigham
ID: 24415309
Internet-Tap-Firewall-Tap-Network Switch-192.168.100.86

eth1 on the tcpdump machine connects to both the taps listed here.
eth0 on the tcpdump machine is 192.168.100.30, for management.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 24415480
I will assume that you are using a /24 subnet, so eth0 is on the 192.168.100.0/24 subnet.  That may have something to do with it.

Do you have the problem only with addresses in the 192.168.100.0/24 subnet?

I will see if I can setup a similar enviroment, but my guess is that something weird is happening with the filter because you have a interface within the subnet you are looking for, but it is not on the interface that you are capturing on.  I've never had that setup.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 24415570
Yes, that is correct. The only problems I'm having are on the 192.168.100.0/24 subnet.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24415742
I'll see if I can setup something similar, but not sure when I can.  My best guess right now is that because you have one interface on the subnet you are attempting to filter on something under the covers something is expecting that traffic on eth0 and will ignore it on eth1.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 24415766
I'll try changing the management IP to a separate subnet so we can verify if this is indeed the case.
0
 
LVL 1

Author Comment

by:timbrigham
ID: 24415887
I configured the management interface in the 172.16.22.0/24 subnet without any change in filter behavior.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24416251
Um, do you have a entry in your route table for the 192.168.100.0/24 subnet that points to eth0?
0
 
LVL 1

Author Comment

by:timbrigham
ID: 24416296
Not sure about when I changed the system to use the 172.16.22.0/24 range, but now that it is back in the 192.168.100.0/24 range yes, I do have an entry in the route table for that subnet.
0
 
LVL 1

Accepted Solution

by:
timbrigham earned 0 total points
ID: 24814344
I found a workaround by defining pass rules for all TCP / UDP / ICMP for specific IP ranges. Not ideal, but it works.
Awarding points to giltjr for his extensive help.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Fine Tune your automatic Updates for Ubuntu / Debian
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question