RHEL: tcpdump writes a corrupt time stamp on SYN-ACK frame captured on the lo device

Solution In Progress - Updated -

Issue

The time stamp of the SYN-ACK frame when captured on the lo device is incorrect. Note that it is only the SYN-ACK, the other frames show the correct time stamp

$ sudo tcpdump -i lo -w /tmp/tcpdump-lo &
[1] 32550
$ tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

$ ssh 127.0.0.1
ndavids@127.0.0.1's password: 
. . . . . .
$ exit
logout
Connection to 127.0.0.1 closed.

$ fg
sudo tcpdump -i lo -w /tmp/tcpdump-lo
^C76 packets captured
152 packets received by filter
0 packets dropped by kernel

$ tcpdump -n -r /tmp/tcpdump-lo tcp | cut -c 1-70
reading from file /tmp/tcpdump-lo, link-type EN10MB (Ethernet)
10:11:17.069374 IP 127.0.0.1.34816 > 127.0.0.1.ssh: Flags [S], seq 199
19:06:49.265866 IP 127.0.0.1.ssh > 127.0.0.1.34816: Flags [S.], seq 38 <<<<<<<
10:11:17.069422 IP 127.0.0.1.34816 > 127.0.0.1.ssh: Flags [.], ack 1, 
10:11:17.069902 IP 127.0.0.1.34816 > 127.0.0.1.ssh: Flags [P.], seq 1:
10:11:17.069919 IP 127.0.0.1.ssh > 127.0.0.1.34816: Flags [.], ack 24,
10:11:17.076000 IP 127.0.0.1.ssh > 127.0.0.1.34816: Flags [P.], seq 1:
. . . . .
10:11:35.324284 IP 127.0.0.1.34816 > 127.0.0.1.ssh: Flags [P.], seq 37
10:11:35.324301 IP 127.0.0.1.34816 > 127.0.0.1.ssh: Flags [P.], seq 38
10:11:35.324324 IP 127.0.0.1.34816 > 127.0.0.1.ssh: Flags [F.], seq 38
10:11:35.324328 IP 127.0.0.1.ssh > 127.0.0.1.34816: Flags [.], ack 387
10:11:35.364261 IP 127.0.0.1.ssh > 127.0.0.1.34816: Flags [.], ack 387
10:11:35.538498 IP 127.0.0.1.ssh > 127.0.0.1.34816: Flags [F.], seq 44
10:11:35.538525 IP 127.0.0.1.34816 > 127.0.0.1.ssh: Flags [.], ack 449
$

Note that the incorrect time is displayed by tshark as well

$ tshark -n -r /tmp/tcpdump-lo -Y tcp -T fields -e frame.time | head -10
"Jul 31, 2017 10:11:17.069374000 MST"
"Jun 12, 1971 19:06:49.265866000 MST" <<<<<<<<<<<<<
"Jul 31, 2017 10:11:17.069422000 MST"
"Jul 31, 2017 10:11:17.069902000 MST"
"Jul 31, 2017 10:11:17.069919000 MST"
"Jul 31, 2017 10:11:17.076000000 MST"
"Jul 31, 2017 10:11:17.076022000 MST"
"Jul 31, 2017 10:11:17.076438000 MST"
"Jul 31, 2017 10:11:17.077625000 MST"
"Jul 31, 2017 10:11:17.077660000 MST"

Note using tshark to capture the trace instead of tcpdump does not correct the problem.

Environment

Red Hat Enterprise Linux 7.2 and beyond
tcpdump version 4.5.1
libpcap version 1.5.3

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content