[Bridge] Sniffing a linux bridge vs sniffing enslaved interfaces

Joel Wirāmu Pauling joel at aenertia.net
Mon Feb 16 22:17:30 UTC 2015


I can think of several potential differences. ​You may miss any bridge
specific traffic (STP, LLDP) using the interfaces generated by the bridge
itself.

If you have vlan tagged sub interfaces you might also miss that traffic if
you were snooping a particular interface. Obviously you will miss any
on-wire broadcast traffic specific to the layer1 connection a particular
interface was connected to if you sniff on an individual device.

Basically unless you are trying to trouble shoot a physical link issue I
would likely always use the container link when doing a packet dump, due to
several edge cases.

If your bridge node host is participating (i.e has an IP etc on the br0
device itself , rather than in the case of a container for Vtap's/Virtual
machine nics') You would also miss the hypervisors/hosts traffic if you
sniffed the contained nics.


-Joel



On 16 February 2015 at 15:35, The Q <theq at rogers.com> wrote:

>
>
> Hi all
>
>
>
> Assume that you have a linux bridge with two interfaces eth0 and eth1
> enslaved to this bridge
>
> What is the difference between sniffing the bridge and sniffing its
> interfaces?
>
>
>
> tcpdump -i br0   vs tcpdump –i eth0
>
>
>
> Thanks
>
> MiniME
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bridge/attachments/20150216/8b08428f/attachment-0004.html>


More information about the Bridge mailing list