On Nov 12, 2014, at 3:07 PM, Matthew Schumacher wrote:
> On 11/11/2014 11:35 AM, Guy Harris wrote:
>>> But those aren't showing up with:
>>>
>>> # tcpdump -i eth1 -n -e -Q out
>>
>> What happens with
>>
>> tcpdump -i eth1 -n -e -p
>>
>> i.e., not filtering only for outgoing packets, but also not running in
>> promiscuous mode? (Just to make sure that the direction filtering is done
>> correctly on Linux.)
>
> I see all of the ingress broadcast and multicast traffic which is what I
> would expect.
But no outgoing traffic, presumably, right?
> I ran the same test on a host running kernel 3.10.17 and it does show
> traffic when the TX counter increments as an ARP reply:
>
> 15:37:41.569057 00:22:75:d7:02:d4 > 00:50:56:86:17:6d, ethertype ARP
> (0x0806), length 42: Reply 192.168.7.99 is-at 00:22:75:d7:02:d4, length 28
>
> That's very odd that:
>
> 1. The 3.2.45 host doesn't show any traffic even though the TX increments.
I guess, for whatever reason, 3.2.45 isn't sending some outgoing packets to
"taps" (that's what dev_queue_xmit_nit() does).
> 2. The 3.10.17 host shows all traffic that causes the TX to increment,
> but responds to arp on an interface that doesn't have an IP address.
Perhaps it's seen an ARP reply that says that 192.168.7.99 has the MAC address
00:22:75:d7:02:d4, so that's in its ARP cache, and is helpfully informing
whoever asked for the MAC address of 192.168.7.99 that it's 00:22:75:d7:02:d4.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
