On Jan 27, 2015, at 4:09 PM, Denis Ovsienko <de...@ovsienko.info> wrote:
> some time ago I did troubleshooting on a Linux PC and that involved running > tcpdump with the "not tcp" filter on a few network interfaces to put a number > of background TCP connections out of scope (I was interested how other > protocols' packets were making from one interface to the other). At some > point I had realized that tcpdump was printing TCP packets _only_ and no > other protocols (again, the filter was "not tcp"). Later I figured it out how > to reproduce the problem but not the cause of it. > > The host has an Ethernet interface with only an IPv6 link-local address > (eth0). On top of it there is a VLAN interface with VID 75 (eth0.75), IPv6 > link-local address and IPv4 address 10.0.75.254/24. The difference is, when > tcpdump runs with "-i eth0.75", it works as expected and displays ARP and, > for instance, UDP from/to the network 10.0.75.0/24. When run with "-i eth0", > it displays only TCP from/to network 10.0.75.0. This looks wrong in two ways > as the tagged packets should not appear on the bearing interface in the first > place and even if they appear there the filter should exclude them, but > instead of this it excludes all the other packets. I.e., "tcpdump -i eth0 not tcp" prints *only* TCP packets? Just out of curiosity, what does "tcpdump -i eth0 -d not tcp" print? _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
