Bug 52654 - Tcpdump get spurious packets before kernel filter kicks in
Tcpdump get spurious packets before kernel filter kicks in
Product: Red Hat Public Beta
Classification: Retired
Component: tcpdump (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Depends On:
  Show dependency treegraph
Reported: 2001-08-27 14:41 EDT by David Dillow
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-08-30 09:08:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:089 normal SHIPPED_LIVE : Updated tcpdump packages available for Red Hat Linux 6.2 and 7.x 2001-06-28 00:00:00 EDT

  None (edit)
Description David Dillow 2001-08-27 14:41:12 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; OSF1 V4.0 alpha)

Description of problem:
When running tcpdump using a kernel filter on a busy network, I see several
packets that do not match my filter at the beginning of the dump. After
several of these, the filter kicks in and the output is correct.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Machine A is
Machine B is
Machine C is

0. make sure your kernel supports socket filters
1. on machine A, start a ping flood to another machine "ping -f"
2. on machine A, start a tcpdump filtering traffic to machine C "tcpdump
3. you will see several of the icmp echo and echo responses from machine B,
then only traffic to machine C

Actual Results:  I see several packets to Machine B in the dump

Expected Results:  I should not see packets from Machine B in the dump,
only packets to and from machine C

Additional info:

This issue occurs due to the interaction in libpcap and the kernel
implementation of filters. When a PF_PACKET socket is created, it is bound
into the network and starts receiving packets. Packets are placed upon its
queue for pickup via recvfrom(). libpcap then binds the socket to an
interface, and then sets the filter on the socket. None of these actions
call skb_queue_purge(), which means that packets that were put in the queue
before the filter was set remain in the queue and are picked up by libpcap,
and hence tcpdump.

If you use the PACKET_RX_RING extensions, skb_queue_purge() is called, and
you will only see filtered packets. Also, if kernel filtering is not
available, the user BPF filter is called for each packet received, and this
problem will not surface.
Comment 1 Harald Hoyer 2001-08-30 09:28:22 EDT
fixed in tcpdump-3.6.2-8
Comment 2 Pekka Savola 2001-08-31 07:38:51 EDT
If curious, this should already be fixed in tcpdump.org HEAD branch:


(new set_kernel_filter function).

I wonder when the next version is coming out...

Note You need to log in before you can comment on or make changes to this bug.