Comments (21)
This is the-tcpdump-group/libpcap#1105, which is a libpcap bug (rather than a tcpdump bug) that is fixed in libpcap 1.10.2.
Well noted, thank you.
from tcpdump.
The purpose of a packet analyser is to show accurately what is in the packet. As far as the provided output goes, both tcpdump and Wireshark seem to do that consistently and indicate an invalid value of the IP version header in a packet with IPv4 EtherType. Why this header field is invalid in this packet is a separate matter, and the best next step would be to identify the sender and to see what it is sending and why.
from tcpdump.
On what version of Linux (distribution and distribution version, and kernel version) are you running tcpdump?
What does tcpdump --version
print?
from tcpdump.
Why this header field is invalid in this packet is a separate matter, and the best next step would be to identify the sender and to see what it is sending and why.
Assuming what the sender sent and the machine running tcpdump received isn't getting mangled either by the Linux networking stack or by libpcap.
from tcpdump.
Does this also happen if you capture with -i eth0
or -i bond_port
?
from tcpdump.
On what version of Linux (distribution and distribution version, and kernel version) are you running tcpdump?
What does
tcpdump --version
print?
tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)
OpenSSL 1.1.1l 24 Aug 2021 SUSE release 150400.7.16.1
SMI-library: 0.4.8
Linux OS: Suse 15.4
from tcpdump.
Does this also happen if you capture with
-i eth0
or-i bond_port
?
No, with -i eth0 or -i bond_port, the printout is normal, no invalid shown, it happens only with any.
from tcpdump.
No, with -i eth0 or -i bond_port, the printout is normal, no invalid shown, it happens only with any.
So probably a problem either with cooked mode in the kernel (PF_PACKET
/SOCK_DGRAM
rather than PF_PACKET
/SOCK_RAW
) or with libpcap's code for handling cooked-mode capturing.
from tcpdump.
Linux OS: Suse 15.4
So that's openSuSE Leap 15.4?
from tcpdump.
Linux OS: Suse 15.4
So that's openSuSE Leap 15.4?
SUSE Linux Enterprise Server 15 SP4,
from tcpdump.
No, with -i eth0 or -i bond_port, the printout is normal, no invalid shown, it happens only with any.
So probably a problem either with cooked mode in the kernel (
PF_PACKET
/SOCK_DGRAM
rather thanPF_PACKET
/SOCK_RAW
) or with libpcap's code for handling cooked-mode capturing.
Is that possible to be fixed?
from tcpdump.
Is that possible to be fixed?
If we are able to determine the cause, it might be possible for it to be fixed either in the kernel or worked around in libpcap if it's in the kernel code, and it might be possible for it to be fixed if it's in libpcap.
Unfortunately, we do not yet know the cause.
from tcpdump.
@MinpuKang, does the problem reproduce in a VM or SLES needs to be running on a physical host for that?
from tcpdump.
Is that possible to be fixed?
If we are able to determine the cause, it might be possible for it to be fixed either in the kernel or worked around in libpcap if it's in the kernel code, and it might be possible for it to be fixed if it's in libpcap.
Unfortunately, we do not yet know the cause.
understand, thank you for your answer
from tcpdump.
@MinpuKang, does the problem reproduce in a VM or SLES needs to be running on a physical host for that?
It is a physical host.
from tcpdump.
Does the network eth0 is on have VLAN traffic?
In the Wireshark capture, with the "version 8" IP, what is the raw hex value of the byte for 1000 .... = Version: 8
and what is the raw hex value of the byte after it? In particular, is the first byte 0x81 and is the byte after it 0x00?
from tcpdump.
Encapsulation type: Linux cooked-mode capture v2 (210)
...
libpcap version 1.10.1 (with TPACKET_V3)
There's a bug in libpcap 1.10.1 and at least some earlier versions that cause VLAN packets not to be properly handled by default when capturing on the "any" device.
What happens if you capture with tcpdump -i any -y LINUX_SLL
?
from tcpdump.
Encapsulation type: Linux cooked-mode capture v2 (210)
...
libpcap version 1.10.1 (with TPACKET_V3)
There's a bug in libpcap 1.10.1 and at least some earlier versions that cause VLAN packets not to be properly handled by default when capturing on the "any" device.
What happens if you capture with
tcpdump -i any -y LINUX_SLL
?
It works well, no IP invlid. Big thanks.
from tcpdump.
This is the-tcpdump-group/libpcap#1105, which is a libpcap bug (rather than a tcpdump bug) that is fixed in libpcap 1.10.2.
from tcpdump.
Faced the same issue on Ubuntu 20.04.6.
tcpdump -i any -y LINUX_SLL
works well. Thanx!
from tcpdump.
Just wanted to add that upgrading from libpcap v1.10.1 to v1.10.4 fixed this issue for me. The new pcaps work with Wireshark 4.2.4 on macOS Sonoma/14.4.1 (Installed via Homebrew) and also TShark (Wireshark) 3.2.3 on Ubuntu 20.04.6 LTS.
from tcpdump.
Related Issues (20)
- When I tried to cross compile tcpdump for riscv64, the tcpdump configure script didn't find libpcap HOT 4
- The -B option of tcpdump on my machine doesn't seem to have any effect HOT 9
- CMake 3.27 emits a deprecation warning HOT 7
- Potential memory leak in tcpdump.c HOT 2
- How can grep the result in tcpdump with --version or -L(data-link-types) HOT 1
- tcpdump -r pcap file error HOT 4
- segmentation fault when using "-Z root" and "-w" HOT 2
- Missing support for L2TPv3 HOT 3
- tcpdump exits before completing the merge HOT 6
- tcpdump -n becomes very slow after some time if large number of IP addresses is present
- tcpdump apparmor denied open operation to /etc/pam_ldap.conf Ubuntu 22.04.3 LTS HOT 2
- [Bug] Infinite Loop Vulnerability in tcpdump leading to Potential DDoS Conditions HOT 9
- Issues building to Win x64 and errors in README.Win32.md HOT 20
- Update Sun RPC code to BSD-3-Clause copy
- Using an Android phone to grab the app, tcpdump has not shown any response. TCpdump is the latest version, with Android 8.1 system and Nexus5x phone HOT 4
- -G drops packets if not enough traffic is recorded HOT 7
- OpenBSD 7.5 build fails because EVP_add_cipher_alias() no longer exists in OpenBSD libcrypto HOT 1
- mkdep does not detect compiler failures HOT 1
- Add support to interpret/display packet content as UTF-8 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tcpdump.