Simon Matter wrote: > > Are you really sure your CentOS 5 interfaces are running in promiscuous mode? >
I'm about 90% sure. When the box restarts, there's a message in /var/log/messages that the NIC is entering promiscuous mode. However, when you look at ifconfig, the PROMISC flag on the card is NOT set. Which I think is a known kernel bug with libpcap? Supposedly fixed in 2.6.20(?), which I haven't seen show up yet in CentOS 5. Linux version 2.6.18-53.1.4.el5 ([EMAIL PROTECTED]) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-14)) If I manually set PROMISC mode from the command line, the flag shows up properly when I look at it with /sbin/ifconfig. But libpcap still doesn't see other traffic on the hub. > But, my first idea was: What kind of hub do you use? If you are using a > dualspeed hub and you run boxes with different ethernet speeds, then what > you see is expected. Dualspeed hubs are switching between the 10M and 100M > ports, they only work like 'hubs' if all port have the same speed. It's a 3com 10/100 dual-speed hub, so that is a concern. The outbound T1 device is a 10Mbit NIC, everything else is a 100Mbit NIC. The Windows box running the show traffic monitor is connecting at 100Mbit and can see all of the other traffic (the linux box was also connecting at 100Mbit). I've tried changing the linux NIC to 10Mbit mode (and the lights on the front of the switch confirm that mode when I went and looked today). But it doesn't seem to make a difference. ... Other notes: - The NIC in question is a dual-port Intel PRO/1000 PCIe x4 card. So I'd expect it to have good linux drivers. Or at least, I'd be surprised to find out that it can't be put into PROMISC mode. - I may (next week) swap the cables between the LAN/WAN side. The LAN side is using the motherboard NIC (not sure what make/model offhand). Or I may get a cheap PCIe 1x NIC and try that. - Hopefully, I get to set up the sister box with an identical configuration next week which will give me a lot more flexibility to play with settings. (The current box is in use, so there are limits to what I can do to it.) - I also plan on taking in an Ubuntu laptop to hook in to that 10/100 hub and see whether I can capture packets that way. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
