Using tcpdump-3.9.1-1.src.rpm.

Using "ip broadcast" as a filter on an aliased interface fails because the
network part of the address is not checked for a match. For instance, here's an
invocation using a /24 setup:

[root@segw ken]# tcpdump -i eth1:1 ip broadcast -d -O
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 9
(002) ld       [30]
(003) and      #0xff000000
(004) jeq      #0x0             jt 8    jf 5
(005) ld       [30]
(006) and      #0xff000000
(007) jeq      #0xff000000      jt 8    jf 9
(008) ret      #96
(009) ret      #0

Note how the host field is checked for all-zeroes and all-ones, but the network
field is not matched against the interface's configured address. This causes
lots of false positives on an unswitched network.