Red Hat Bugzilla – Bug 17800
tcpdump displays corrupted mac addresses
Last modified: 2008-05-01 11:37:58 EDT
Two 6.2 Redhat machines on an ethernet segment. One is pinging a the other. On the first machine, tcpdump shows corrupted mac addresses: 0:0:0:0:0:1 / 0:0:0:0:0:0 instead of the real destination mac address. 02:49:53.741322 < 0:70:72:f0:de:20 0:0:0:0:0:1 ip 74: 113.65.144.5 > 113.65.144.3: icmp: echo request 02:49:53.741422 > 0:0:0:0:0:0 0:70:72:f0:de:20 ip 74: 113.65.144.3 > 113.65.144.5: icmp: echo reply When using another (recompiled) version of tcpdump, it shows the correct mac addresses: 00:50:24.788056 0:70:72:f0:de:20 0:21:f2:11:93:9d 0800 74: 113.65.144.5 > 113.65.144.3: icmp: echo request 00:50:24.788226 0:21:f2:11:93:9d 0:70:72:f0:de:20 0800 74: 113.65.144.3 > 113.65.144.5: icmp: echo reply
Your recompiled version didn't have Alexey Kuznetsov's patches in. Newer versions of tcpdump use packet socket interface by default. It isn't possible to get all link level headers properly. Using tcpdump -R works. *** This bug has been marked as a duplicate of 9134 ***