Running tcpdump with or without -p only captures the packets directed to the host, or broadcasts. ifconfig does not show promiscuous flag. NIC: e100 kernel-2.4.22-1.2115.nptl tcpdump-3.7.2-7.1 BTW, the man page reverted to its original. It specifies default promiscuous, -p making non-promiscuous. See bug 6464 for context.
ifconfig does not seem to show the correct flags... try "/sbin/ip link" [harald@faro harald]$ sudo /sbin/ip link 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:01:02:f1:85:f4 brd ff:ff:ff:ff:ff:ff [harald@faro harald]$ sudo /sbin/ip link 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:01:02:f1:85:f4 brd ff:ff:ff:ff:ff:ff [harald@faro harald]$ sudo /sbin/ifconfig eth0 Protokoll:Ethernet Hardware Adresse 00:01:02:F1:85:F4 inet Adresse:172.16.2.162 Bcast:172.16.2.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7644385 errors:0 dropped:0 overruns:1 frame:0 TX packets:4984513 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 RX bytes:4026752812 (3840.2 Mb) TX bytes:514514184 (490.6 Mb) lo Protokoll:Lokale Schleife inet Adresse:127.0.0.1 Maske:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8139 errors:0 dropped:0 overruns:0 frame:0 TX packets:8139 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 RX bytes:10844282 (10.3 Mb) TX bytes:10844282 (10.3 Mb)
reassigning to net-tools
http://www.uwsg.iu.edu/hypermail/linux/net/0202.1/0022.html
From: [EMAIL PROTECTED] (Frédéric Raynal) Date: Thu, 25 Jul 2002 08:09:44 +0200 This is a well knwon issue and C. Grenier and I have understood why very recently. In fact, this due to the changing of the handling of promiscuous mode in kernel space. With kernel 2.0, one had to perform the following to set the interface to promiscuous mode: strncpy(ifr.ifr_name, "eth0", IFNAMSIZ); ioctl(sock, SIOCGIFFLAGS, &ifr); ifr.ifr_flags |= IFF_PROMISC; ioctl(sock, SIOCSIFFLAGS, &ifr); The trouble was that the promiscuous mode was handled by a flag. Each time a process sets this mode, the flag is set. But if another process removes this mode, the flag is cleared. Rather bad behavior. Since kernel 2.2, a processus must ask to enter in a membership of process (setsockopt(..., PACKET_ADD_MEMBERSHIP,...)) using the interface in promiscuous mode. A counter is then increased. One a process of the membership does not need the promiscuous mode anymore, it drops the membership (setsockopt(..., PACKET_DROP_MEMBERSHIP, ...)) the counter is decreased, and promiscuous mode is disabled as soon as the counter is 0. struct packet_mreq mr; ... memset(&mr,0,sizeof(mr)); mr.mr_ifindex = ifr.ifr_ifindex; mr.mr_type = PACKET_MR_PROMISC; setsockopt(sock, SOL_PACKET, PACKET_ADD_MEMBERSHIP, (char *)&mr, sizeof(mr)); The call to ioctl(SIOCGIFFLAGS) reports only promiscuous mode sets by ioctl(SIOCSIFFLAGS). --- http://lists.virus.org/bugtraq-0207/msg00347.html http://www.tcpdump.org/lists/workers/2001/01/msg00184.html http://marc.theaimsgroup.com/?t=101356558000002&r=1&w=2
Fixed in current release ..