I have dedicated ethernet port that receives SPANned traffic from switch.<br />
<br />
When I use PCAP (Net::Pcap in Perl or tcpdump/wireshark) to receive packets from this interface, I got a buggy behavior when applying PCAP filtering.<br />
If no filter is applied - I see all packets.<br />
If I apply ANY filter (simply word "ip" or "host X.X.X.X" - then I see only some sort of broadcast packets.<br />
If I apply filter "not host 1.1.1.1"/"not net 1.1.1.0/20" then also all traffic was received including packets that I want to filter-out.<br />
<br />
I has checked ethernet registers - in all tests I have:<br />
ethtool -d eth1 | grep promisc<br />
Unicast promiscuous: enabled<br />
Multicast promiscuous: enabled<br />
<br />
This problem is reproducible my hardware server with clean CentOS 6.0 installation (with all current 6.0 updates installed).<br />
<br />
CentOS 5 (other server in same location) has no such problem.<br />
Reverting libpcap/tcpdump to packages from CentOS 5.7 gives same buggy behavior, so I suggest that filtering was broken in kernel (2.6.32-71.29.1.el6.x86_64 in my case, and also confirmed with 2.6.32-131.12.1.el6.x86_64 from CR repository).
↧
