On Tue, Jul 09, 2002 at 06:31:46PM -0500, Burton M. Strauss III wrote: > Igor we've been through this on the list. Use -j | --border-sniffer-mode. > > First off, having an unnumbered port only means you MUST use -m, otherwise > all traffic is remote.
By "unnumbered" you mean "ip-less", right? And by "MUST" you mean "MST in order for for active sessions to be listed", right? I don't have to use -m if I don't care about the sessions. > > The only way to be 100% sure is to try the experiment - running tcpdump on > your network. > > Limit it to traffic from, say, a specific host. On my network that would be > > tcpdump -i eth0 -c 100 -w filename ip and host 192.168.0.xxx > > You'll need to run it simultaneously on both the mirrored port and on a host > on the same switch port (you may have to insert a hub) as the one you pick > that isn't mirrored. And then compare the two captures... When you say "on the same switch port", do you mean "on a port which is on the same switch"? Sorry for being picky with the words, I just want to eliminate any ambiguity in interpretation of what you're saying. > > I'm pretty sure you will find that the MAC addresses have been re-written by > the switch to it's own MAC address. If the switch doesn't rewrite the > packets, you can run into spanning tree loops. It might even be in the docs > (or an option) for your switch. I need to think a bit more about what I need to do. I'm still not 100% clear on what I'm looking for in this experiment. Thanks Igor _______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop-dev
