mirrored port can't capture traffic in promisc mode

From: Stuart Herd (sherd_at_ca.inter.net1)
Date: 02/02/04 

Date: Mon, 02 Feb 2004 09:11:09 -0500

hi all,

weird one here, i'll try to be as specific as possible...

redhat 8 w' updates
custom kernel 2.6.1

two nics connected to an extreme switch

eth0 - 192.168.2.1
eth1 = 192.168.5.253

eth1 is a monitoring port connected to a mirrored port on the switch
configured as it's own vlan

[root@monitor root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:02:55:67:F7:E3
          inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
          inet6 addr: fe80::202:55ff:fe67:f7e3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:1405684 errors:0 dropped:0 overruns:0 frame:0
          TX packets:620107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:241740537 (230.5 Mb) TX bytes:59998530 (57.2 Mb)
          Interrupt:24
 
eth1 Link encap:Ethernet HWaddr 00:02:55:67:F7:E4
          inet addr:192.168.5.253 Bcast:192.168.5.255
          Mask:255.255.255.0 inet6 addr: fe80::202:55ff:fe67:f7e4/64
          Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500
          Metric:1 RX packets:55473093 errors:0 dropped:0 overruns:0
          frame:0 TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3720189549 (3547.8 Mb) TX bytes:3924 (3.8 Kb)
          Interrupt:25
 
lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:311253
          errors:0 dropped:0 overruns:0 frame:0 TX packets:311253 errors:0
          dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX
          bytes:127934020 (122.0 Mb) TX bytes:127934020 (122.0 Mb)

if i run a tcpdump -i eth1 i get tons of streaming traffic across the
console, it's obviously seeing all that it should and working well.

I am using a number of applications that take advantage of packet
analysis, i.e bandwidthd, snort and ntop. Unfortunately when i run any of
these programs they do not capture any of the traffic coming across the
port.
if i use eth0 as a test to capture data it does so no problem. I have
switched ip's on the nics and swapped out the cables reversing the setup.
Same thing happens so it's not the cards/drivers etc

Any ideas? 

-- 
=======================================
<there is no number in my email address>

Relevant Pages

  • eth1 promisc mode fails to capture traffic
    ... eth1 is a monitoring port connected to a mirrored port on the switch ... if i run a tcpdump -i eth1 i get tons of streaming traffic across the ... if i use eth0 as a test to capture data it does so no problem. ...
    (comp.os.linux.misc)
  • Re: Dual Nics in Different Subnets on Server 2008
    ... A DG is needed if you have to leave the subnet, networking in that subnet will work. ... Eth0 will be in 10.210.36.0/16 with default gateway of layer 3 switch ... I do this because Eth0 is in different switch altogether than Eth1. ...
    (microsoft.public.windows.server.networking)
  • Re: disable local routing between eth0 and eth1 - iptables
    ... I want to disable local routing between eth0 and eth1 so that whenever ... interface eth0 and should reach eth1 through connected switch. ... Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets ...
    (comp.os.linux.networking)
  • disable local routing between eth0 and eth1 - iptables
    ... I want to disable local routing between eth0 and eth1 so that whenever ... interface eth0 and should reach eth1 through connected switch. ... Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets ...
    (comp.os.linux.networking)
  • Re: Cat 2924
    ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ...
    (comp.dcom.sys.cisco)