From owner-freebsd-questions@FreeBSD.ORG Sat Oct 6 00:12:10 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25EB716A41A for ; Sat, 6 Oct 2007 00:12:10 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 101D813C45D for ; Sat, 6 Oct 2007 00:12:10 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id 5A5AD3C0466; Fri, 5 Oct 2007 17:12:09 -0700 (PDT) Date: Fri, 5 Oct 2007 17:12:09 -0700 From: Christopher Cowart To: freebsd@dreamchaser.org Message-ID: <20071006001209.GJ19429@hal.rescomp.berkeley.edu> Mail-Followup-To: freebsd@dreamchaser.org, freebsd-questions@freebsd.org References: <4706C94D.4030206@dreamchaser.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C+HXlm54ZZhtXlMW" Content-Disposition: inline In-Reply-To: <4706C94D.4030206@dreamchaser.org> Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-questions@freebsd.org Subject: Re: tcpdump -- non-local traffic not showing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Oct 2007 00:12:10 -0000 --C+HXlm54ZZhtXlMW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 05, 2007 at 05:31:25PM -0600, freebsd@dreamchaser.org wrote: > I'm having trouble seeing packets which are not going to or from the > machine on which tcpdump is running. Is there something special I > need to do to enable this? It's my understanding tcpdump puts the > interface in promiscuous mode, and dmesg seems to confirm this. > However I see the following behavior using "tcpdump -fntl -i ed1": >=20 > If hosts .x, .y, and .z are all on the same network, > and if tcpdump is running on host a.b.c.x > and on host a.b.c.y I do > ping a.b.c.x >=20 > I see the icmp packets. >=20 > But if on host a.b.c.y I do > ping a.b.c.z >=20 > I see nothing. > Does the interface drop packets with a different mac address, even > when supposedly put in promiscuous mode? >=20 > Clues? You're probably plugged into a switch ("learning bridge"). Switches partition your collision domain -- they learn which MAC is available on which port and only send on that port. You either need a hub or a really expensive switch (the kind that you log in to and set up port mirrors). --=20 Chris Cowart Lead Systems Administrator Network & Infrastructure Services, RSSP-IT UC Berkeley --C+HXlm54ZZhtXlMW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQIVAwUBRwbS2SPHEDszU3zYAQLRyg/9G1ddeipN68Hy7VcKueD/1teZm3DUySTc d7O6Jl0ERwI3cqDkpklepLvcObnEfW2u5MjVniE3ZgjuiaKMnRJMjtcM32ZKgagH AKfFIQogjKTB/s06FCQ/7KucJOVrFjDoYpx9N2PKTIGjzf2LuHSEUIYS6yNiucRd ebyOqKWoGtJr9eSXozZsR9izHnE0IUKFbalozN++W9YAUw9h23UjGTZISkrwJ3ld +XclzwBbYt/wJZF6JHFOAiE+081ZE/G7Oq4+WKPZBSqolEP+w3alDn/oyJfKuNNe uhYRkPb8jG2RAfIy4w/431+sXcXDcq9jQ3u022ETvEEY4XWF6fk6JnflJoOJrkc7 hC5GGjQQtPsGjuLVBzu5OLWfT0zsmEpemd+vvFrPktfupVJTUn1avXn0dRLhTe8g Ht2CXQxkJIHi0wufloGDuTYfGekt0FcKGTAV3jE4TaMp+nh7n6eu0akeOh6IGtwS lm40wfYI+/Z1Tg6gOf4qE0Y94U+Bi3B0U1fOogqmpfwwIJ17H3sywp+eIYas8cDy 2bxfMQqQBj9885Gek5Sp+4AmHrRf7SuCEnCB6oOpB6bRKLZQ3qfcYiHXYZpycLR0 zS4vFTsXdcTk/UJG2zByYqbEY+wmK/Hrq75Zf0a2nbOlWbPB9Ep+OdXNQd/cV7aU 9hm7nPsEzTA= =oFqF -----END PGP SIGNATURE----- --C+HXlm54ZZhtXlMW--