On Wed, 18 Jul 2001, Joe Amici wrote: > The tcpdump output prints a flag right after the > timestamp which is not reported on the man page. It is > normally the '>' or '<' depending on the > directionality of the packet. But sometimes it prints > 'P' and it looks like that the packet is duplicated as > i see another instance of the same packet but delayed > by a few microseconds. Does that have something to do > with the promiscuous mode. (Having -p or not in the > options does not affect this) > > Just so you know I am using GRE tunnels and this above > capture was on eth0. Here is the actual capture > command > > tcpdump -nl -tt -pi eth0 tcp port 80 > > So can you explain why am I seeing those duplicated > 'P' packets P means the packet is going to some other host (and it was probably captured by promiscuity). If you dump IP tunnels, the tcpdump might wrongly check the interior datagram, and believe it's meant to someone else. (Another issue is that if you're capturing on all interfaces, you might get the same packet from eth0 and your gre tunnel interface) -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
