Have you verified that the incoming traffic you're seeing isn't destined to a broadcast MAC address, or a multicast MAC address related to an IGMP stream that your system has joined? When an interface is not in promiscuous mode, it still will get frames not destined to its MAC address if the destination MAC address is either a broadcast address, or a multicast address that the system has joined. Depending on your configuration, you might even see multicast traffic that you haven't specifically joined. Joel Gerber Network Specialist Network Operations Eastlink E: Joel.Gerber@xxxxxxxxxxxxxxxx T: 519.786.1241 -----Original Message----- From: lartc-owner@xxxxxxxxxxxxxxx [mailto:lartc-owner@xxxxxxxxxxxxxxx] On Behalf Of Dennis Jacobfeuerborn Sent: November-06-14 11:44 AM To: lartc@xxxxxxxxxxxxxxx Subject: Traffic accounted in interface that has no ip and is not in promisc mode Hi, I'm seeing a strange phenomenon on some systems: The packet and byte counters get increased from traffic that doesn't target the interface. On one system the interfaces does not even have an IP and is not in promiscuous mode yet looking at the interface stats the packet and byte counters show traffic of 40 mbit: # ip a show dev eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:2f:be:59 brd ff:ff:ff:ff:ff:ff inet6 fe80::5054:ff:fe2f:be59/64 scope link valid_lft forever preferred_lft forever # ip -s l show dev eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:2f:be:59 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 3185025880 2136432122 0 0 0 0 TX: bytes packets errors dropped carrier collsns 1120135715 18322641 0 0 0 0 So in order to verify that no traffic is flowing on the interface segment with this interface as its target I did: tcpdump -e -nn -i eth0 ether host 52:54:00:2f:be:59 This shows not a single packet while at the same time I still see the packet and byte counters going up. Then I did this: tcpdump -e -p -nn -i eth0 This actually shows traffic but not destined for this interface. I don't understand why it would do so because I used -p to not put the interface in promisc mode. This is happening in a virtual-machine using the virtio-net driver for the network interfaces. Does anyone have an idea why the interface accounts this traffic? Regards, Dennis -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
