I am unable to capture unicast traffic on the br0 (linux bridge) interface using the command tcpdump -nni any -vvv
. Broadcast traffic, however, is captured as expected. Interestingly, unicast traffic is captured if I open another terminal and run tcpdump -nni br0 -vvv
to capture traffic specifically on the br0 interface simultaneously.
I’ve noticed that this behavior is present with tcpdump
version 4.9.3 (libpcap version 1.8.1), where the tcpdump -nni any -vvv
command does not capture br0 unicast traffic. However, using tcpdump
version 4.99.5 (libpcap version 1.10.5 with TPACKET_V3) works correctly and captures the unicast traffic on br0.
I know that br0 get the all traffic which flow into the linux bridge device, see also Anatomy of a Linux bridge.
In cases where the destination MAC address of the incoming frame is multi- or broadcast, the bridge device is set to
receive all traffic, or the address is matches one of the local interfaces, a clone of the frame is also delivered upwards
in the local network stack by calling the br_pass_frame_
up function. The function updates the bridge device statistics, and passes the incoming frame up the network stack by
calling the device independent netif_receive_skb function
I suspect that I’m seeing may be related to the version of tcpdump
or its parameters, but I can’t confirm this. Could you help explain the reason for this behaviour?