Red Hat Bugzilla – Bug 179400
can't sniff incoming traffic on interface that is part of a bond
Last modified: 2007-11-30 17:07:22 EST
Description of problem:
I have a system with interfaces eth0 and eth1 bonded together into an interface
named bond0. If I sniff traffic on bond0, I see all traffic going both in and
out. But sometimes I want to see exactly which interface is carrying the
traffic (for debugging, usually). But if I sniff traffic on eth0 (or eth1) I
only see outbound traffic, not inbound traffic.
Version-Release number of selected component (if applicable):
All the time
Steps to Reproduce:
1. create a bonded interface
2. sniff traffic on eth0 or eth1 (NOT bond0)
What you are observing is an artifact of how bonding is implemented in the
kernel (i.e. the hack that is bonding).
Incoming frames are marked as arriving on the bond at a very low level in the
stack, while outgoing frames on the bond are intercepted and remarked for the
physical interface, then re-injected high enough in the stack to allow them to
I agree that sniffing incoming frames on the physical links in the bond would
be potentially beneficial, I'm not sure how to do it without breaking
something or implementing a nasty hack. I'll give it some thought, but I
can't be optimistic.
Created attachment 124128 [details]
Test kernels w/ the above patch are available here:
Please give them a try and post the results here...thanks!
Closed due to lack of response. Please reopen when the requested info becomes