tcpdump missing packets with different filters for different interfaces
Luiz Angelo Daros de Luca
luizluca at gmail.com
Tue Feb 2 23:26:00 EST 2021
Hello,
While debugging with tcpdump, I noticed some strange results. I tested
both with tcpdump-mini and tcpdump in 19.07. My router uses the
standard eth0.2 as wan, eth0.1 and multiple wlan bridged br-lan.
While pinging dns.google (ipv6 and ipv4), I tried these with tcpdump(-full):
Listening to "any", I got only IPv4 (wlan, br-lan, eth0.2 / eth0,
eth0.2, br-lan, wlan), I got no IPv6
# tcpdump -i any icmp or icmp6 -n
01:02:21.804830 IP 192.168.3.999 > 8.8.8.8: ICMP echo request, id 46,
seq 30, length 64
01:02:21.804830 IP 192.168.3.999 > 8.8.8.8: ICMP echo request, id 46,
seq 30, length 64
01:02:21.804946 IP 999.999.96.75 > 8.8.8.8: ICMP echo request, id 46,
seq 30, length 64
01:02:21.826868 ethertype IPv4, IP 8.8.8.8 > 999.999.96.75: ICMP echo
reply, id 46, seq 30, length 64
01:02:21.826868 IP 8.8.8.8 > 999.999.96.75: ICMP echo reply, id 46,
seq 30, length 64
01:02:21.826962 IP 8.8.8.8 > 192.168.3.999: ICMP echo reply, id 46,
seq 30, length 64
01:02:21.826978 IP 8.8.8.8 > 192.168.3.999: ICMP echo reply, id 46,
seq 30, length 64
If do not use filter, I can see the expected ICMPv6 packets arriving:
# tcpdump -i any -n
01:22:06.348704 IP 192.168.3.999 > 8.8.8.8: ICMP echo request, id 46,
seq 1213, length 64
01:22:06.348704 IP 192.168.3.999 > 8.8.8.8: ICMP echo request, id 46,
seq 1213, length 64
01:22:06.348812 IP 999.999.96.75 > 8.8.8.8: ICMP echo request, id 46,
seq 1213, length 64
01:22:06.368259 ethertype IPv4, IP 8.8.8.8 > 999.999.96.75: ICMP echo
reply, id 46, seq 1213, length 64
01:22:06.368259 IP 8.8.8.8 > 999.999.96.75: ICMP echo reply, id 46,
seq 1213, length 64
01:22:06.368357 IP 8.8.8.8 > 192.168.3.999: ICMP echo reply, id 46,
seq 1213, length 64
01:22:06.368375 IP 8.8.8.8 > 192.168.3.999: ICMP echo reply, id 46,
seq 1213, length 64
...
01:22:06.255748 IP6 2804:9999:9999:9999::9ca > 2001:4860:4860::8888:
ICMP6, echo request, seq 1324, length 64
01:22:06.255748 IP6 2804:9999:9999:9999::9ca > 2001:4860:4860::8888:
ICMP6, echo request, seq 1324, length 64
01:22:06.255895 IP6 2804:9999:9999:9999::9ca > 2001:4860:4860::8888:
ICMP6, echo request, seq 1324, length 64
01:22:06.278039 ethertype IPv6, IP6 2001:4860:4860::8888 >
2804:9999:9999:9999::9ca: ICMP6, echo reply, seq 1324, length 64
01:22:06.278039 IP6 2001:4860:4860::8888 > 2804:9999:9999:9999::9ca:
ICMP6, echo reply, seq 1324, length 64
01:22:06.278171 IP6 2001:4860:4860::8888 > 2804:9999:9999:9999::9ca:
ICMP6, echo reply, seq 1324, length 64
01:22:06.278191 IP6 2001:4860:4860::8888 > 2804:9999:9999:9999::9ca:
ICMP6, echo reply, seq 1324, length 64
Listening to "eth0", I got IPv4 and IPv6, but only incoming.
# tcpdump -i eth0 icmp or icmp6 -n
01:05:34.013966 IP 8.8.8.8 > 999.999.96.75: ICMP echo reply, id 46,
seq 222, length 64
01:05:34.014860 IP6 2001:4860:4860::8888 > 2804:9999:9999:9999::9ca:
ICMP6, echo reply, seq 333, length 64
Again, if I change the filter to something like 'vlan 2', I can see both:
# tcpdump -i eth0 vlan 2 -n
...
01:06:56.107341 IP 999.999.96.75 > 8.8.8.8: ICMP echo request, id 46,
seq 304, length 64
...
01:06:56.127299 IP 8.8.8.8 > 999.999.96.75: ICMP echo reply, id 46,
seq 304, length 64
...
01:06:57.067497 IP6 2804:9999:9999:9999::9ca > 2001:4860:4860::8888:
ICMP6, echo request, seq 416, length 64
...
01:06:57.096174 IP6 2001:4860:4860::8888 > 2804:9999:9999:9999::9ca:
ICMP6, echo reply, seq 416, length 64
If I capture the external vlan interface or br-lan, all works as expected:
# tcpdump -i eth0.2 icmp or icmp6 -n
01:08:38.213303 IP6 2804:9999:9999:9999::9ca > 2001:4860:4860::8888:
ICMP6, echo request, seq 517, length 64
01:08:38.233701 IP6 2001:4860:4860::8888 > 2804:9999:9999:9999::9ca:
ICMP6, echo reply, seq 517, length 64
01:08:38.256486 IP 999.999.96.75 > 8.8.8.8: ICMP echo request, id 46,
seq 406, length 64
01:08:38.278949 IP 8.8.8.8 > 999.999.96.75: ICMP echo reply, id 46,
seq 406, length 64
# tcpdump -i br-lan icmp or icmp6 -n
01:10:40.406118 IP6 2804:9999:9999:9999::9ca > 2001:4860:4860::8888:
ICMP6, echo request, seq 639, length 64
01:10:40.429046 IP6 2001:4860:4860::8888 > 2804:9999:9999:9999::9ca:
ICMP6, echo reply, seq 639, length 64
01:10:40.432067 IP 192.168.3.999 > 8.8.8.8: ICMP echo request, id 46,
seq 528, length 64
01:10:40.453203 IP 8.8.8.8 > 192.168.3.999: ICMP echo reply, id 46,
seq 528, length 64
The only reliable way to filter is to not use them and let the reader
(wireshark) do it afterwards. But that workaround is not
an option while capturing through the same interface you need to
capture traffic on.
Is this really expected? Maybe a weird mips bug? Or a bad side effect
from some openwrt size optimization?
Regards,
---
Luiz Angelo Daros de Luca
luizluca at gmail.com
More information about the openwrt-devel
mailing list