mirrored port can't capture traffic in promisc mode

From: Stuart Herd (sherd_at_ca.inter.net1)
Date: 02/02/04


Date: Mon, 02 Feb 2004 09:11:09 -0500

hi all,

weird one here, i'll try to be as specific as possible...

redhat 8 w' updates
custom kernel 2.6.1

two nics connected to an extreme switch

eth0 - 192.168.2.1
eth1 = 192.168.5.253

eth1 is a monitoring port connected to a mirrored port on the switch
configured as it's own vlan

[root@monitor root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:02:55:67:F7:E3
          inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
          inet6 addr: fe80::202:55ff:fe67:f7e3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:1405684 errors:0 dropped:0 overruns:0 frame:0
          TX packets:620107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:241740537 (230.5 Mb) TX bytes:59998530 (57.2 Mb)
          Interrupt:24
 
eth1 Link encap:Ethernet HWaddr 00:02:55:67:F7:E4
          inet addr:192.168.5.253 Bcast:192.168.5.255
          Mask:255.255.255.0 inet6 addr: fe80::202:55ff:fe67:f7e4/64
          Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500
          Metric:1 RX packets:55473093 errors:0 dropped:0 overruns:0
          frame:0 TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3720189549 (3547.8 Mb) TX bytes:3924 (3.8 Kb)
          Interrupt:25
 
lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:311253
          errors:0 dropped:0 overruns:0 frame:0 TX packets:311253 errors:0
          dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX
          bytes:127934020 (122.0 Mb) TX bytes:127934020 (122.0 Mb)

if i run a tcpdump -i eth1 i get tons of streaming traffic across the
console, it's obviously seeing all that it should and working well.

I am using a number of applications that take advantage of packet
analysis, i.e bandwidthd, snort and ntop. Unfortunately when i run any of
these programs they do not capture any of the traffic coming across the
port.
if i use eth0 as a test to capture data it does so no problem. I have
switched ip's on the nics and swapped out the cables reversing the setup.
Same thing happens so it's not the cards/drivers etc

Any ideas?

-- 
=======================================
<there is no number in my email address>