From: Joel Gerber <Joel.Gerber@corp.eastlink.ca>
To: lartc@vger.kernel.org
Subject: RE: Traffic accounted in interface that has no ip and is not in promisc mode
Date: Thu, 06 Nov 2014 17:15:16 +0000 [thread overview]
Message-ID: <405CDB4498600447A16CCC4ED3BFCAD301B6E7F952@SCOOBY.corp.eastlink.ca> (raw)
In-Reply-To: <545BA547.1090201@conversis.de>
Have you verified that the incoming traffic you're seeing isn't destined to a broadcast MAC address, or a multicast MAC address related to an IGMP stream that your system has joined?
When an interface is not in promiscuous mode, it still will get frames not destined to its MAC address if the destination MAC address is either a broadcast address, or a multicast address that the system has joined. Depending on your configuration, you might even see multicast traffic that you haven't specifically joined.
Joel Gerber
Network Specialist
Network Operations
Eastlink
E: Joel.Gerber@corp.eastlink.ca T: 519.786.1241
-----Original Message-----
From: lartc-owner@vger.kernel.org [mailto:lartc-owner@vger.kernel.org] On Behalf Of Dennis Jacobfeuerborn
Sent: November-06-14 11:44 AM
To: lartc@vger.kernel.org
Subject: Traffic accounted in interface that has no ip and is not in promisc mode
Hi,
I'm seeing a strange phenomenon on some systems: The packet and byte counters get increased from traffic that doesn't target the interface.
On one system the interfaces does not even have an IP and is not in promiscuous mode yet looking at the interface stats the packet and byte counters show traffic of 40 mbit:
# ip a show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:2f:be:59 brd ff:ff:ff:ff:ff:ff
inet6 fe80::5054:ff:fe2f:be59/64 scope link
valid_lft forever preferred_lft forever
# ip -s l show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:2f:be:59 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
3185025880 2136432122 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1120135715 18322641 0 0 0 0
So in order to verify that no traffic is flowing on the interface segment with this interface as its target I did:
tcpdump -e -nn -i eth0 ether host 52:54:00:2f:be:59
This shows not a single packet while at the same time I still see the packet and byte counters going up.
Then I did this:
tcpdump -e -p -nn -i eth0
This actually shows traffic but not destined for this interface. I don't understand why it would do so because I used -p to not put the interface in promisc mode.
This is happening in a virtual-machine using the virtio-net driver for the network interfaces.
Does anyone have an idea why the interface accounts this traffic?
Regards,
Dennis
--
To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2014-11-06 17:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-06 16:43 Traffic accounted in interface that has no ip and is not in promisc mode Dennis Jacobfeuerborn
2014-11-06 17:15 ` Joel Gerber [this message]
2014-11-06 23:00 ` Dennis Jacobfeuerborn
2014-11-06 23:11 ` Rick Jones
2014-11-06 23:38 ` Dennis Jacobfeuerborn
2014-11-07 0:07 ` Rick Jones
2014-11-09 0:32 ` Dennis Jacobfeuerborn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=405CDB4498600447A16CCC4ED3BFCAD301B6E7F952@SCOOBY.corp.eastlink.ca \
--to=joel.gerber@corp.eastlink.ca \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.