That doesn't sound like a libpcap problem ... I'd guess you need the ISP to do a reset on the switch so that it reinitializes the MAC tables.
All I know is that ntop gets packets on the interface as a single stream, regardless of sub interface. See my comments re how promiscuous mode works in answer to your other ? too... -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Porter Sent: Tuesday, June 07, 2005 5:55 PM To: [email protected] Subject: RE: [Ntop] Broadcast? --On Tuesday, June 07, 2005 5:23 PM -0500 Burton Strauss <[EMAIL PROTECTED]> wrote: > Every subnetwork has a broadcast address, it's the all 1s. So > 192.168.0.0/24's broadcast is 192.168.0.255 etc. Also 255.255.255.255 > is used. Ok, that much I knew, which is why this is confusing. > DNS shouldn't be broadcast ... that just smells odd... Agreed. I'm googling around trying to figure out if libpcap is hosed or what. > You probably need to post a few packet captures so we can see what's > up - maybe take this to ntop-misc as it's not really ntop related... Subscribing now. Meanwhile, docs for libpcap say that "ip broadcast" won't deliver correct results if the broadcast address can't be determined. I'm wondering if the alias on my adapter is somehow causing me grief: [EMAIL PROTECTED] root]# ifconfig eth1 Link encap:Ethernet HWaddr 00:02:A5:EF:0B:90 inet addr:66.28.14.59 Bcast:66.28.14.63 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth1:1 Link encap:Ethernet HWaddr 00:02:A5:EF:0B:90 inet addr:66.28.14.57 Bcast:66.28.14.63 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 (Omitting counters and loopback interface.) Both logical interfaces have consistent netmasks. Here's a dump of some packets: [EMAIL PROTECTED] root]# tcpdump ip broadcast tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 15:52:44.068928 IP matureasskickers.net.27016 > aphexmaster3.gamespy.com.3117: UDP, length 896 15:52:44.071249 IP matureasskickers.net.32769 > indigo.arin.net.domain: 33150% [1au] PTR? 29.8.38.207.in-addr.arpa. (53) 15:52:44.079684 IP matureasskickers.net.27015 > aphexmaster3.gamespy.com.3101: UDP, length 6 15:52:44.093420 IP matureasskickers.net.27016 > adsl-64-173-8-51.dsl.sntc01.pacbell.net.27005: UDP, length 145 15:52:44.131447 IP matureasskickers.net.8767 > 208.8.25.30.1086: UDP, length 24 These all look like unicast UDP. _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
