[Bridge] Sniffing a linux bridge vs sniffing enslaved interfaces

Q theq at rogers.com
Mon Feb 16 22:39:49 UTC 2015

Thanks Joel

I have the feeling that you are using developer terms which I don’t totally udersta

I will rephrase what I believe you said below, just to make sure that I got the idea:


Eth0ßà br0ßàeth1


>From what you are saying if I sniff eth0 only there is chances that I will miss L1 traffic injected by the host or by the other eth1

If eth0 and eht1 have respectively vlan 1 and vlan 2 the only way to sniff both simultaneously would be by sniffing br0

There are also L1-L2 packet originated by br0 that might be misses


Are these correct?





From: aenertia at aenertia.net [mailto:aenertia at aenertia.net] On Behalf Of Joel Wiramu Pauling
Sent: February-16-15 5:17 PM
To: The Q
Cc: bridge at lists.linux-foundation.org
Subject: Re: [Bridge] Sniffing a linux bridge vs sniffing enslaved interfaces


I can think of several potential differences. ​You may miss any bridge specific traffic (STP, LLDP) using the interfaces generated by the bridge itself.


If you have vlan tagged sub interfaces you might also miss that traffic if you were snooping a particular interface. Obviously you will miss any on-wire broadcast traffic specific to the layer1 connection a particular interface was connected to if you sniff on an individual device. 


Basically unless you are trying to trouble shoot a physical link issue I would likely always use the container link when doing a packet dump, due to several edge cases. 


If your bridge node host is participating (i.e has an IP etc on the br0 device itself , rather than in the case of a container for Vtap's/Virtual machine nics') You would also miss the hypervisors/hosts traffic if you sniffed the contained nics.







On 16 February 2015 at 15:35, The Q <theq at rogers.com> wrote:


Hi all


Assume that you have a linux bridge with two interfaces eth0 and eth1 enslaved to this bridge

What is the difference between sniffing the bridge and sniffing its interfaces?


tcpdump -i br0   vs tcpdump –i eth0





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bridge/attachments/20150216/b7f28951/attachment-0004.html>

More information about the Bridge mailing list