tcpdump is not working with zerocopy enabled (net.bpf.zerocopy_enable=1)
tcpdump is failing when zerocopy is enabled (net.bpf.zerocopy_enable=1) which is the default.
Sample failure message:
: tcpdump -i em0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes tcpdump: pcap_loop: BIOCROTZBUF: Capabilities insufficient
I had seen this a few weeks back but only on a vtnet interface. At the time, gnn found the bug in FreeBSD, but the fix does not seem to have made its way into pfSense 2.3 yet.
I've tried with multiple types of NICs (vmx, vtnet, em --real and virtualized, and re) -- same behavior on all. All on current snapshots.
#4 Updated by Luiz Souza about 5 years ago
Fix submitted to upstream: https://github.com/the-tcpdump-group/tcpdump/pull/486