Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1062511

Summary: tcpdump: WARNING: SIOCGIFADDR: nflog: No such device
Product: Red Hat Enterprise Linux 7 Reporter: Ian Kent <ikent>
Component: libpcapAssignee: Michal Sekletar <msekleta>
Status: CLOSED CURRENTRELEASE QA Contact: Jan Ščotka <jscotka>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: jiyin, jscotka, lmiksik, lnykryn, mwoehlke.floss
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 13:00:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ian Kent 2014-02-07 06:45:03 UTC 
Description of problem:
When using tcpdump within autofs tests run by beaker I get the
message "tcpdump: WARNING: SIOCGIFADDR: nflog: No such device".

Version-Release number of selected component (if applicable):
Sorry, I didn't record the package revision.
It's the one included in distro RHEL-7.0-20140130.n.0.

How reproducible:
Always with the command line:

tcpdump -nn -vvv -s 0 -U -w tcpdump.out ip dst $SERVER >&/dev/null &

where $SERVER is the address of another host in the multiple
server test.

Clearly I removed the >&/dev/null to find this out.


Steps to Reproduce:
1. As above.

Actual results:
As described above.

Expected results:
Packet capture is started.

Additional info:
I see the change referred to below is not applied to our rhel-7
libpcap, it might be relevant:
https://github.com/the-tcpdump-group/libpcap/commit/676cf8a
Comment 2 Michal Sekletar 2014-02-08 13:07:04 UTC 
You didn't specify interface on which you would like to capture packets. In this case tcpdump will call pcap_lookupdev() function which returns first non-loopback device on the box. It looks like on your machine nflog pseudo-interface is first in the list (you can check by printing list of available interfaces using tcpdump -D). There is a filter provided, but for DLT_NFLOG we don't support BPF filtering.

tcpdump shouldn't crash as it does now, but if we backport the patch it will not solve your problem. You'd have to patch your test anyway and provide interface name explicitly.
Comment 3 Ian Kent 2014-02-09 02:10:35 UTC 
(In reply to Michal Sekletar from comment #2)
> 
> tcpdump shouldn't crash as it does now, but if we backport the patch it will
> not solve your problem. You'd have to patch your test anyway and provide
> interface name explicitly.

That's sounds easy enough but it isn't.

It's a multi-host test and the beaker machines can be on
different subnets so you can't assume that because an
interface is on the same network it is the server in
question.

AFAICS there is only one interface used on each machine
and it would be reasonably straight forward to find it
but there is no guarantee that will be the case in future.

Perhaps the multiple interface argument above is lame
since tcpdump wouldn't know which interface to use either,
mmm ....

This is a regression though since, with a single interface,
this worked fine for years. What changed?

Ian
Comment 4 Michal Sekletar 2014-02-09 13:41:58 UTC 
Our primary source of information about interfaces on the system is getifaddrs() function. Looking at the source code, it doesn't look like something relevant has changed. If the order is different from what it was then I think something has changed under the hood, either glibc or kernel.

If there are any ordering guarantees for list of interfaces then this is the regression (not necessarily in libpcap). I will check on that with upstream maintainers. But I am not convinced yet that this is the case.
Comment 5 Michal Sekletar 2014-02-10 08:35:23 UTC 
According to discussion [1] ("The list of network adapters...") on tcpdump-workers mailing list it looks like there are no ordering guarantees and if you did rely on them I think you are just out of luck. Sorry.

I will just backport the patch so we don't segfault when trying to apply filter on interface with NFLOG datalink type.

[1] http://article.gmane.org/gmane.network.tcpdump.devel/5240
Comment 6 Ian Kent 2014-02-10 11:37:27 UTC 
(In reply to Michal Sekletar from comment #5)
> According to discussion [1] ("The list of network adapters...") on
> tcpdump-workers mailing list it looks like there are no ordering guarantees
> and if you did rely on them I think you are just out of luck. Sorry.
> 
> I will just backport the patch so we don't segfault when trying to apply
> filter on interface with NFLOG datalink type.

We should be filtering on an ip address (and if not it shouldn't
be too hard to do so) so a "-i any" might be sufficient, as long
as tcpdump doesn't fail due to the nflog problem.

Ian
Comment 7 Michal Sekletar 2014-02-10 14:29:51 UTC 
By all means, you can try -i any. Let me know if it works for you. And no, tcpdump should not fail when '-i any' is specified.
Comment 8 Ian Kent 2014-02-13 00:07:07 UTC 
(In reply to Michal Sekletar from comment #7)
> By all means, you can try -i any. Let me know if it works for you. And no,
> tcpdump should not fail when '-i any' is specified.

All usages of tcpdump in my tests use a source or destination
filter on addresses.

Using the "-i any" worked in a manual test and did result in
a couple of tests passing that previously failed due to this
difficulty.

So it looks like this approach works fine.
Comment 9 Michal Sekletar 2014-02-13 10:49:39 UTC 
I backported the patch [1]. Thanks for the report! Btw, I am glad to hear that -i any workaround works for you.

[1] http://bulk-mail.corp.redhat.com/archives/cvs-commits-list/2014-February/msg07008.html
Comment 12 Ludek Smid 2014-06-13 13:00:36 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Comment 14 Matthew Woehlke 2014-09-30 20:41:58 UTC 
I'm seeing this also in Fedora 20. Can the change be made there also, or do I need to open a separate bug report?