tcpdump bgp packet filters not working for VLAN traffic on mirrored ports in Red Hat Enerprise Linux 7

Solution Verified - Updated -

Issue

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

tcpdump bgp packet filters not working for mirrored ports in Red Hat Enerprise Linux 7

When creating a port mirror and mirroring VLAN traffic to a port, filters to tcpdump's live capture do not work. When capturing the data to a binary .pcap, it is possible to analyze traffic with the appropriate filters.

For example, the following works:

[root@computeovsdpdk-0 ~]# tcpdump -nne -i snooper0 -l | grep -i "icmp "
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on snooper0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:06.875929 fa:16:3e:42:83:14 > fa:16:3e:ce:96:cc, ethertype 802.1Q (0x8100), length 102: vlan 106, p 0, ethertype IPv4, 172.16.0.109 > 192.168.0.116: ICMP echo request, id 27814, seq 1, length 64
10:42:06.875974 fa:16:3e:ce:96:cc > fa:16:3e:42:83:14, ethertype 802.1Q (0x8100), length 102: vlan 106, p 0, ethertype IPv4, 192.168.0.116 > 172.16.0.109: ICMP echo reply, id 27814, seq 1, length 64
^C24 packets captured
24 packets received by filter
0 packets dropped by kernel

But the following does not work:

[root@computeovsdpdk-0 ~]# tcpdump -nne -i snooper0 -l vlan and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on snooper0, link-type EN10MB (Ethernet), capture size 262144 bytes

Whereas capturing to a file and then reading from the file works:

[root@computeovsdpdk-0 ~]# tcpdump -i snooper0 -w capture.pcap
tcpdump: listening on snooper0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C21 packets captured
25 packets received by filter
0 packets dropped by kernel
[root@computeovsdpdk-0 ~]# tcpdump -r capture.pcap -nne vlan and icmp
reading from file capture.pcap, link-type EN10MB (Ethernet)
10:43:03.283761 fa:16:3e:42:83:14 > fa:16:3e:ce:96:cc, ethertype 802.1Q (0x8100), length 102: vlan 106, p 0, ethertype IPv4, 172.16.0.109 > 192.168.0.116: ICMP echo request, id 27982, seq 1, length 64
10:43:03.283829 fa:16:3e:ce:96:cc > fa:16:3e:42:83:14, ethertype 802.1Q (0x8100), length 102: vlan 106, p 0, ethertype IPv4, 192.168.0.116 > 172.16.0.109: ICMP echo reply, id 27982, seq 1, length 64

Note: This already takes into account that any VLAN tagged taffic must be captured with vlan and ..., yet the live filter does not work.

This particularly affects live captures with ovs-tcpdump for DPDK environments.

This affects Red Hat Enterprise Linux 7 only. The same issue cannot be reproduced in Red Hat Enterprise Linux 8 or in a RHEL 8 container.

Environment

Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In