As the question described, I can’t get br0 (linux bridge name) unicast traffic (of course the broadcast could) with tcpdump -nni any -vvv
, but it (tcpdump -nni any -vvv
) will capture the unicast traffic while I open another terminal and run the command tcpdump -nni br0 -vvv
to only capture the br0 traffic at the same time.
And the tcpdump
with version 4.99.5 (libpcap version 1.10.5 (with TPACKET_V3)) works, but the version 4.9.3 (libpcap version 1.8.1) can’t work on the command tcpdump -nni any -vvv
to show the br0 unicast traffic.
One more thing, I know that br0 get the all traffic which flow into the linux bridge device, see also Anatomy of a Linux bridge.
In cases where the destination MAC address of the incoming frame is multi- or broadcast, the bridge device is set to
receive all traffic, or the address is matches one of the local interfaces, a clone of the frame is also delivered upwards
in the local network stack by calling the br_pass_frame_
up function. The function updates the bridge device statistics, and passes the incoming frame up the network stack by
calling the device independent netif_receive_skb function
I guess that because of the tcpdump
tool’s version or parameter, but I can’t verify it. Could I get the reason? THX