Subject: Re: 1.5Q: tcpdump vs. wi0?
To: Tero Kivinen <>
From: John Hawkinson <jhawk@MIT.EDU>
List: current-users
Date: 01/03/2001 23:03:30
In message <>, Tero Kivinen writes:
>John Hawkinson writes:
>> Huh? That's not how it works.
>I don't know for sure, but that was the case when I run the tcpdump.
>All packets ware sent to the base station, and it forward it then back
>to the wireless network or ethernet depending where the other wireless
>node was. 

That shouldn't happen.

>So immediately when I start tcpdump I will see duplicate packets
>coming to me. I have interpreted this so that when I turn on
>promiscuous mode I see both the x46 sending packet to base station and
>the base station sending it back to me, thus I see two packets instead
>of only one.

The base station doesn't retransmit packets back out -- if stations A
and B are associated with access point Z, if A sends a packet to B,
it doesn't get xmitted by Z, other than possibly out Z's ethernet
interface if it doesn't know where B's MAC lives. At least, that's
my understanding.

>> If you could show traces that demonstrate this behavior, that would
>> be best... 
>I cannot demonstrate this now, but I can demostrate duplicate packets
>when I turn on the promiscuous mode:

OK. I see this also. I wonder what causes it ;-) And I see it pinging
another wireless node but not a "wired" node and not the airport.

Perhaps it means my understanding above is wrong, and the AP
really does retransmit data. I'm not seeing any other good explanation
for why we'd see this duplication. I just spent a while staring at the
spec and can't seem to find anywhere that this is clear.

>The ethenet hardware addresses still seem to be ours, i.e I cannot see
>the base station there at all. The base station is Apple Airport.
>I think that before I have also seen the hardware address of the base
>station there, but then the airport was configured to do NAT and etc,
>thus it might change things.

At some point in the past the wi driver put the incorrect MAC addresses
in the faked up ethernet header, and you might have seen the airport's
MAC address on a packet received from (or to) the airport...

I suppose this is incentive to try to get the 802.11 tcpdump support
working...I started to do this and got lame.