I've been having this odd problem with my networking for the past several months, but it hasn't really affected anything until now.
I have a 12.04 LTS server with 3 1G interfaces. Eth0 is the built-in interface on the motherboard, and is the primary interface for the system. Eth1 is the first interface on a dual-interface Intel NIC card and is in a down state. Eth2 is the second interface on the Intel card and is up in promiscuous mode. Eth2 is fed a feed from a tap (technically, a hardware span port) that sits between my border router and my network switch. Every device, wired or wireless, runs thru the switch then the router to access the internet. Any data between two systems on the network should only go thru the switch. Therefore it seems, the tap, and thus Eth2, should only see traffic from the LAN to the internet.
The reason for doing this is security and bandwidth monitoring. Another thing to note is the Eth2 is NOT assigned an IP address.
Quick ifconfig:
Code:
eth0 Link encap:Ethernet HWaddr 6c:f0:49:d5:a8:61
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::6ef0:49ff:fed5:a861/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:173716287 errors:0 dropped:0 overruns:0 frame:0
TX packets:978669166 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1789153 (1.7 MB) TX bytes:1201659019 (1.2 GB)
Interrupt:42 Base address:0xe000
eth2 Link encap:Ethernet HWaddr 00:15:17:5b:74:2b
inet6 addr: fe80::215:17ff:fe5b:742b/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:39107567 errors:0 dropped:0 overruns:0 frame:0
TX packets:7578 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39184939063 (39.1 GB) TX bytes:559562 (559.5 KB)
Interrupt:17 Memory:fbea0000-fbec0000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4397081580 errors:0 dropped:0 overruns:0 frame:0
TX packets:4397081580 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:193686202866 (193.6 GB) TX bytes:193686202866 (193.6 GB)
The system has multiple servers running: SSH, DNS, DHCP, Samba, FTP, and Apache.
Somehow, for some reason, when running tcpdump on each eth0 and eth2, each interface is carrying half of the local server traffic. For example, tcpdump -i eth0 "port 22" shows all packets from the client system to the server, and tcpdump -i eth2 "port 22" shows all packets from the server back to the client.
I'm seeing two big problems here that I can't figure out - an interface, in promiscuous mode, with no IP address, is transmitting packets, and topologically-speaking, there's no way the tap should be able to see inter-LAN traffic at all. I have the strong suspicion that both of these as symptoms of something wrong with the networking configuration, but for the life of my, I can't figure it out.
Some guidance would be greatly appreciated.
Coog
Bookmarks