List, some time ago I did troubleshooting on a Linux PC and that involved running tcpdump with the "not tcp" filter on a few network interfaces to put a number of background TCP connections out of scope (I was interested how other protocols' packets were making from one interface to the other). At some point I had realized that tcpdump was printing TCP packets _only_ and no other protocols (again, the filter was "not tcp"). Later I figured it out how to reproduce the problem but not the cause of it.
The host has an Ethernet interface with only an IPv6 link-local address (eth0). On top of it there is a VLAN interface with VID 75 (eth0.75), IPv6 link-local address and IPv4 address 10.0.75.254/24. The difference is, when tcpdump runs with "-i eth0.75", it works as expected and displays ARP and, for instance, UDP from/to the network 10.0.75.0/24. When run with "-i eth0", it displays only TCP from/to network 10.0.75.0. This looks wrong in two ways as the tagged packets should not appear on the bearing interface in the first place and even if they appear there the filter should exclude them, but instead of this it excludes all the other packets. This is the latest build of tcpdump on kernel 3.13.0-44-generic #73-Ubuntu SMP. Not sure if I will get to find the reason myself, but if anybody sees this as a duplicate of or an additional input for one of the known bugs, please let me know. -- Denis Ovsienko _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers