tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Capturing packets when no IP address is assigned to the capturing interface (Jason Mitchell) writes:


>     The recent discussion about bridges reminded me of a potentially 
>similar issue. Running tcpdump against an interface that doesn't have an 
>IP address won't capture any packets.

I don't think that's true.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wm0, link-type EN10MB (Ethernet), capture size 262144 bytes
[ifconfig wm0 up in another window, not assigning an address]
06:40:55.017529 IP > UDP, length 158
06:40:55.018716 IP6 fe80::822a:a8ff:fe93:3591.60648 > ff02::1.10001: UDP, length 158
8 packets captured
8 packets received by filter
0 packets dropped by kernel

>Assigning any IP address causes 
>tcpdump to see packets, even a LL address. Additionally, you can remove 
>the address from the interface and tcpdump will still receive packets. 
>Any idea why this happens?

Assigning an IP address implies enabling it ('up').
Removing an IP address does not disable it.

Home | Main Index | Thread Index | Old Index