Bug #5257

tcpdump is not working with zerocopy enabled (net.bpf.zerocopy_enable=1)

Added by Jim Pingle over 4 years ago. Updated about 4 years ago.

Operating System
Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


tcpdump is failing when zerocopy is enabled (net.bpf.zerocopy_enable=1) which is the default.

Sample failure message:

: tcpdump -i em0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
tcpdump: pcap_loop: BIOCROTZBUF: Capabilities insufficient

I had seen this a few weeks back but only on a vtnet interface. At the time, gnn found the bug in FreeBSD, but the fix does not seem to have made its way into pfSense 2.3 yet.

I've tried with multiple types of NICs (vmx, vtnet, em --real and virtualized, and re) -- same behavior on all. All on current snapshots.


#1 Updated by Chris Buechler over 4 years ago

  • Status changed from New to Confirmed
  • Priority changed from Normal to High

seems to affect all interface types, physical hardware, VMs, virtual interfaces (PPPoE, GRE, gif)

#2 Updated by Luiz Souza over 4 years ago

  • Assignee set to Luiz Souza

#3 Updated by Luiz Souza over 4 years ago

The recent fixes I did in bpf (that fixed the zerocopy buffers in bpf) caused this issue (now that tcpdump is really trying to use the zero copy buffers).

There is a disallowed ioctl in capsicum.

I'll submit the fix to upstream.

#5 Updated by Luiz Souza over 4 years ago

I am disabling the zero copy buffers in pfSense until all the raised issues are fixed in FreeBSD.

#6 Updated by Luiz Souza about 4 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Workaround committed to 2.3.

Awaiting the next tcpdump release (and the hostapd fix) to enable the zero copy buffers again.

#7 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved


Also available in: Atom PDF