Thursday, September 10, 2009

tcpdump can't find /dev/bpf

Setting up new router/firewall and during testing had this issue:

# tcpdump -n -e -tttt -vv -i pflog0
tcpdump: (cannot open device) /dev/bpf: No such file or directory

# ls /dev/bp*
crw------- 1 root wheel - 0, 84 Sep 9 20:54 /dev/bpf0
crw------- 1 root wheel - 0, 86 Sep 9 20:54 /dev/bpf1
crw------- 1 root wheel - 0, 87 Sep 9 20:54 /dev/bpf2


Turns out that the tcpdump package for FreeBSD 7.2 that I had installed, version 3.9.7, was the cause of the problem. Weird part is that the base tcpdump is 3.9.8 -- newer than the packaged port! Weird indeed.

Anyway, deinstalled the package and now the base tcpdump has no problem connecting to the pflog0 interface for real-time pflog examination.

# which tcpdump
/usr/local/sbin/tcpdump

# pkg_deinstall tcpdump
---> Deinstalling 'tcpdump-3.9.7'
[Updating the pkgdb ... (...) done]

# which tcpdump
/usr/sbin/tcpdump

# tcpdump -V
tcpdump version 3.9.8
libpcap version 0.9.8
Usage: tcpdump ...

# /usr/sbin/tcpdump -n -e -tttt -vv -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes


Live and learn...