Tyler West <[EMAIL PROTECTED]> writes: > We did find something else interesting. The eth0 interface is our > "management" interface for the Debian system through which we access the > box. It is addressed as 150.4.1.69. If we do continuous pings to > 150.4.1.69 and run 'tcpdump -nn -i eth0 host 150.4.1.69' it displays the > ICMP packets.
Hmm, so basically the bug occurs only on the eth1 interface, which receives mirrored traffic from your switch. What are the Ethernet addresses of the packets coming from that port (source/destination)? (And of eth1?) It might be that some part of the chain (libpcap/kernel) tries to optimize things and drop packets that do not match the hardware address of your card when you use a host filter. Or something. Please also try the following: - capture icmp traffic only => tcpdump -i eth1 proto \\icmp - disable pcap filter optimization => tcpdump -O -i eth1 Also, I see STP traffic on the interface... Do you have a bridge configured on the Debian host? That might make a difference. > Is it possible that something is screwing with promiscuous mode when > the filters are used because the filter will display packets that are > directed to the Debian system itself? I think the problem lies in your network configuration. The fact that the capture works as intended on your eth0 interface proves that the software itself is functional. Thanks, -- ,''`. : :' : Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
