RE: Traffic accounted in interface that has no ip and is not in promisc mode

From: Joel Gerber <Joel.Gerber@corp.eastlink.ca>
To: lartc@vger.kernel.org
Subject: RE: Traffic accounted in interface that has no ip and is not in promisc mode
Date: Thu, 06 Nov 2014 17:15:16 +0000	[thread overview]
Message-ID: <405CDB4498600447A16CCC4ED3BFCAD301B6E7F952@SCOOBY.corp.eastlink.ca> (raw)
In-Reply-To: <545BA547.1090201@conversis.de>

Have you verified that the incoming traffic you're seeing isn't destined to a broadcast MAC address, or a multicast MAC address related to an IGMP stream that your system has joined?

When an interface is not in promiscuous mode, it still will get frames not destined to its MAC address if the destination MAC address is either a broadcast address, or a multicast address that the system has joined. Depending on your configuration, you might even see multicast traffic that you haven't specifically joined.

Joel Gerber
Network Specialist
Network Operations
Eastlink
E: Joel.Gerber@corp.eastlink.ca T: 519.786.1241

-----Original Message-----
From: lartc-owner@vger.kernel.org [mailto:lartc-owner@vger.kernel.org] On Behalf Of Dennis Jacobfeuerborn
Sent: November-06-14 11:44 AM
To: lartc@vger.kernel.org
Subject: Traffic accounted in interface that has no ip and is not in promisc mode

Hi,
I'm seeing a strange phenomenon on some systems: The packet and byte counters get increased from traffic that doesn't target the interface.

On one system the interfaces does not even have an IP and is not in promiscuous mode yet looking at the interface stats the packet and byte counters show traffic of 40 mbit:

# ip a show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:2f:be:59 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fe2f:be59/64 scope link
       valid_lft forever preferred_lft forever

# ip -s l show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:2f:be:59 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    3185025880 2136432122 0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    1120135715 18322641 0       0       0       0

So in order to verify that no traffic is flowing on the interface segment with this interface as its target I did:

tcpdump -e -nn -i eth0 ether host 52:54:00:2f:be:59

This shows not a single packet while at the same time I still see the packet and byte counters going up.
Then I did this:

tcpdump -e -p -nn -i eth0

This actually shows traffic but not destined for this interface. I don't understand why it would do so because I used -p to not put the interface in promisc mode.

This is happening in a virtual-machine using the virtio-net driver for the network interfaces.

Does anyone have an idea why the interface accounts this traffic?

Regards,
  Dennis
--
To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html