Bug 19377

Summary: tcpdump -i tun0 not port/host x shows incoming traffic for that host/port
Product: Base System Reporter: ue <ue>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 5.0-CURRENT   
Hardware: Any   
OS: Any   

Description ue 2000-06-19 16:50:01 UTC 
According to manpage, ``tcpdump not port X'' should not display traffic
from or to that port. Likewise, ``tcpdump not host X'' should not display
traffic from or to that host.

tcpdump works "as advertised" when I'm snooping on a conventional interface 
(tested with bofh ed and fxp). If I'm sniffing on the tun device, tcpdump
will still capture and display the incoming traffic. Using ``tcpdump not
( port X ) '' or ``tcpdump not ( src port X )'' doesn't change anything.

How-To-Repeat: 
use tcpdump not port X on a tun device with traffic for that port
Comment 1 ue 2000-06-21 22:55:27 UTC 
Some additional datapoints:
- the problem also exists in both 4.0-RELEASE and RELENG-4 as of 08-JUN
- "postive" filtering (e.g. tcpdump -i tun0 port foo) works as expected
- Doing a tcpdump -i tun0 -w file and then tcpdump -r file not port foo
  show the same symptoms. Using the same commandline on a file captured
  from an ethernet device works as expected
Comment 2 Bill Fenner 2000-06-30 06:42:16 UTC 
Can you follow up with the output of
tcpdump -d -i tun0 port foo
tcpdump -d -i tun0 not port foo

Thanks,
  Bill
Comment 3 ue 2000-06-30 11:26:09 UTC 
> tcpdump -d -i tun0 port foo
(000) ld       [0]
(001) jeq      #0x1c000000      jt 2	jf 9
(002) ldb      [10]
(003) jeq      #0x6             jt 5	jf 4
(004) jeq      #0x11            jt 5	jf 21
(005) ldh      [44]
(006) jeq      #0x50            jt 20	jf 7
(007) ldh      [46]
(008) jeq      #0x50            jt 20	jf 21
(009) jeq      #0x2000000       jt 10	jf 21
(010) ldb      [13]
(011) jeq      #0x6             jt 13	jf 12
(012) jeq      #0x11            jt 13	jf 21
(013) ldh      [10]
(014) jset     #0x1fff          jt 21	jf 15
(015) ldxb     4*([4]&0xf)
(016) ldh      [x + 4]
(017) jeq      #0x50            jt 20	jf 18
(018) ldh      [x + 6]
(019) jeq      #0x50            jt 20	jf 21
(020) ret      #96
(021) ret      #0

> tcpdump -d -i tun0 not port foo

(000) ld       [0]
(001) jeq      #0x1c000000      jt 2	jf 9
(002) ldb      [10]
(003) jeq      #0x6             jt 5	jf 4
(004) jeq      #0x11            jt 5	jf 21
(005) ldh      [44]
(006) jeq      #0x50            jt 20	jf 7
(007) ldh      [46]
(008) jeq      #0x50            jt 20	jf 21
(009) jeq      #0x2000000       jt 10	jf 21
(010) ldb      [13]
(011) jeq      #0x6             jt 13	jf 12
(012) jeq      #0x11            jt 13	jf 21
(013) ldh      [10]
(014) jset     #0x1fff          jt 21	jf 15
(015) ldxb     4*([4]&0xf)
(016) ldh      [x + 4]
(017) jeq      #0x50            jt 20	jf 18
(018) ldh      [x + 6]
(019) jeq      #0x50            jt 20	jf 21
(020) ret      #0
(021) ret      #96

Good hunting!
Comment 4 Brian Somers freebsd_committer freebsd_triage 2000-10-15 21:22:44 UTC 
State Changed
From-To: open->closed

Fixed in -current