I have a machine which has a port connected to a monitor port on a switch. Thus, many packets from different sources and destinations are arriving at its interface. However, I cannot seem to filter based on certain IP addresses.
For example, I try to do this, but I see no traffic:
# tcpdump -n -nn -i p2p2 host 239.31.80.152
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p2p2, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
But if I do a simple grep, I can see packets come in:
# tcpdump -n -nn -i p2p2 | grep 239.31.80.152
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p2p2, link-type EN10MB (Ethernet), capture size 65535 bytes
20:32:26.535506 IP 10.232.4.7.41724 > 239.31.80.152.10502: UDP, length 38
20:32:26.635546 IP 10.232.4.7.41724 > 239.31.80.152.10502: UDP, length 38
If I dump the packets to a pcap file, I cannot filter based on that host, either.
But I can filter on another host or network as I wish:
# tcpdump -n -nn -i p2p2 src net 50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p2p2, link-type EN10MB (Ethernet), capture size 65535 bytes
21:01:05.104011 IP 50.93.139.140.60745 > 233.90.130.137.13090: UDP, length 20
21:01:05.140072 IP 50.93.139.140.60745 > 233.90.130.137.13090: UDP, length 75
# tcpdump -n -nn -i p2p2 dst host 233.90.130.137
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p2p2, link-type EN10MB (Ethernet), capture size 65535 bytes
21:01:17.940104 IP 50.93.139.140.60745 > 233.90.130.137.13090: UDP, length 460
21:01:17.954007 IP 50.93.139.140.60745 > 233.90.130.137.13090: UDP, length 20
21:01:18.000084 IP 50.93.139.140.60745 > 233.90.130.137.13090: UDP, length 59
What is peculiar about that host 239.31.80.152?
