> This is because, I see that the destination ethernet header of
> the outgoing packets as 0.
Some Linux distributions have an "improved" tcpdump that
1) defaults to not running in promiscuous mode;
2) defaults to capturing on the equivalent of tcpdump.org's
libpcap 0.6[.x]'s "any" device";
3) defaults to capturing in "cooked mode" - and, unlike
tcpdump.org's libpcap 0.6.2, puts a fake Ethernet header on
the packet rather than putting a "cooked mode" header on it.
The fake Ethernet header might have a bogus destination address, because
the "recvfrom()" call used by the libpcap that comes with that version
of tcpdump returns, as the "from" in "recvfrom" indicates, the source
address - and the data that comes back from the "recvfrom()" doesn't
include the Ethernet header, so the destination address of the packet is
unavailable.
Try
tcpdump -R -e -x -i eth0 ether multicast
The "-R" flag tells tcpdump to capture in "raw" mode rather than
"cooked" mode, so that the Ethernet headers are supplied to tcpdump from
libpcap.
If that works, then your Linux distribution probably has the "improved"
tcpdump, in which case it's also not running in promiscuous mode by
default. To make the "improved" tcpdump work the exact same way as
normal tcpdump, you also need to supply the "-p" flag, which turns
promiscuous mode *on* in the "improved" version, rather than turning it
off as is the case with the standard version.
> I am using linux 2.2.14
Actually, you're using some version of some Linux *distribution*;
identifying the kernel that a particular system is running is
insufficient to indicate what OS you're running - much of the behavior
of your system is governed by the userland code in it, rather than the
kernel code in it.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
