-----Original Message----- From: Shachar Shemesh <[EMAIL PROTECTED]> To: Leonid Podolny <[EMAIL PROTECTED]> Date: Tue, 04 Jan 2005 15:38:51 +0200 Subject: Re: Tcpdump question
> > Leonid Podolny wrote: > > > Hi, list, > > I seem to miss something basic about working with tcpdump. > > I have some system producing multicast IP traffic and I'm trying to > > watch it with tcpdump on my computer. (I can elaborate on the details > > of the traffic producer if it's needed). The point is that I have > > inbound flow of IP packets with src ip 192.168.135.2 and dst ip > > 224.3.0.25. > > Now, the questions: > > 1)The RX counter on the reciever interface is not being increased > > unless I manually put an interface into promiscuos mode (with ifconfig > > eth1 promisc). I was always sure that tcpdump does it by itself. > > 2)If I do put it into promiscuos mode manually, the RX reciever is > > being increased, but I still can't see the packets with tcpdump. In > > order to see them, the interface must have IP that begins with > > 192.168.135.x, which is totally illogical, since I have to recieve all > > ethernet frames, even if I don't have any IP on this computer. > > > I have never done multicast, so excuse me if I get something wrong. > Isn't a multicast address just a routing manipulation? Shouldn't the > hardware device still have a unicast address, even if it is > participating in a multicast ring? > Of course, it does. It usually has an ip at 192.168.0.x subnet, but as I stated, tcpdump wouldn't see packages I put in 192.168.135 subnet. I think I'll still have to reveal the whole picture here. I have a PC with a NIC (eth0) and a satellite interface.Linux sees the satellite card as an ordinary network interface (aba0). I configured a 802.1d bridging between two interfaces and I have another PC connected with a cross-over cable to the eth0 interface. When I look on the traffic upon aba0 interface, I can see the following: Layer 2: src 0:0:0:0:0:0, dst 01:00:5e:x:x:x. I don't have the exact address at hand right now, but the point is that it's a multicast. Layer 3: src 192.168.135.2 dst 224.3.0.25. As far as I understand, the bridge should simply broadcast the multicast frames on the eth0. The promiscuous NIC on the other side of the cross-over cable should recieve all the packets and show them all in tcpdump, even if it doesn't have IP configured. Sorry for the messy explanation. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
