I can think of several potential differences. You may miss any bridge specific traffic (STP, LLDP) using the interfaces generated by the bridge itself.
If you have vlan tagged sub interfaces you might also miss that traffic if you were snooping a particular interface. Obviously you will miss any on-wire broadcast traffic specific to the layer1 connection a particular interface was connected to if you sniff on an individual device.
Basically unless you are trying to trouble shoot a physical link issue I would likely always use the container link when doing a packet dump, due to several edge cases.
If your bridge node host is participating (i.e has an IP etc on the br0 device itself , rather than in the case of a container for Vtap's/Virtual machine nics') You would also miss the hypervisors/hosts traffic if you sniffed the contained nics.
-Joel
On 16 February 2015 at 15:35, The Q <theq@xxxxxxxxxx> wrote:
Hi all
Assume that you have a linux bridge with two interfaces eth0 and eth1 enslaved to this bridge
What is the difference between sniffing the bridge and sniffing its interfaces?
tcpdump -i br0 vs tcpdump –i eth0
Thanks
MiniME
