Hum... Interesting... That check wouldn't be needed if the interface were not in promiscuous mode. But it is... And wouldn't be necessary if your upstream were properly configured. But it isn't...
You could certainly work-around it - add "net 192.168.0.0/24" to your filter. Still, that may well and truly be a bug - you should switch over to tcpdump-workers (http://www.tcpdump.org) and post it there ... Nice find! -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Porter Sent: Wednesday, June 08, 2005 4:28 PM To: [email protected] Subject: RE: [Ntop] Broadcast? --On Tuesday, June 07, 2005 5:23 PM -0500 Burton Strauss <[EMAIL PROTECTED]> wrote: > Every subnetwork has a broadcast address, it's the all 1s. So > 192.168.0.0/24's broadcast is 192.168.0.255 etc. Also 255.255.255.255 > is used. I believe the issue is in libpcap's gen_broadcast. Using tcpdump to view the generated filter, I see this: [EMAIL PROTECTED] root]# tcpdump ip broadcast -d -O (000) ldh [12] (001) jeq #0x800 jt 2 jf 9 (002) ld [30] (003) and #0xf000000 (004) jeq #0x0 jt 8 jf 5 (005) ld [30] (006) and #0xf000000 (007) jeq #0xf000000 jt 8 jf 9 (008) ret #96 (009) ret #0 The first two instructions make sure it's IP over Ethernet. The remaining stuff looks for all zeros or all ones in the low 4 bits of a /28 destination address. (The source address isn't considered.) What's missing is a check that the destination address is in the same subnet, by comparing the netmasked address with the netmasked interface address. So any remote address with all zeros or all ones in the low 4 bits gets reported as a broadcast. _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
