Second NIC doesn't see any traffic

grimshaw

I could use some thoughts on my second ethernet card (the onboard 3com card worked before and still works after the second nic installation). I *think* the second card is an intel etherexpress pro 100. Probing the PCI bus agrees with this assessment. The card was from my stack of cards and I am reasonably sure it is operational. The link light comes on and my switch recognizes the interface as up.

The module is compiled and loads.
The interface can be brought up.

However, the card simply sees nothing (tcpdumps on an active span session). Thoughts?

I'm not new to linux, but I am pretty new to Gentoo. Perhaps I am missing something. Comments and ideas appreciated.

Some settings for your review...

eth0 Link encap:Ethernet HWaddr 00:C0:4F:0E:88:5D
inet addr:24.24.24.24 Bcast:152.13.144.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4673 errors:0 dropped:0 overruns:0 frame:0
TX packets:539 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:495274 (483.6 Kb) TX bytes:77392 (75.5 Kb)
Interrupt:11 Base address:0xdc00

eth1 Link encap:Ethernet HWaddr 00:02:B3:3D:7E:4A
inet addr:10.11.12.13 Bcast:10.11.12.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:10 Base address:0x9000

==========
hostname root # cat /proc/pci | grep -B1 -A1 ther

Bus 0, device 14, function 0:
Ethernet controller: Intel Corp. 82557/8/9 [Ethernet Pro 100] (rev

.
IRQ 10.
--
Bus 0, device 17, function 0:
Ethernet controller: 3Com Corporation 3c905B 100BaseTX [Cyclone] (rev 36).
IRQ 11.
===========

==========
hostname root # lsmod
Module Size Used by Not tainted
eepro100 19700 1
mii 2496 0 [eepro100]
3c59x 27632 1
==========

==========
hostname root # tcpdump -n -i eth1
tcpdump: listening on eth1

0 packets received by filter
0 packets dropped by kernel
==========
_________________
All that is necessary for the triumph of evil is that good men do nothing.
-- Edmund Burke (1729-1797)

dma · Posted: Fri Aug 08, 2003 4:55 pm Post subject:

eth1 is connected to your private network?

You will only get IP traffic on eth1 (10.11.12.13) if packets are routed to that address somehow.

grimshaw · Posted: Fri Aug 08, 2003 5:24 pm Post subject:

Yes. However, this is not a routing issue. This interface's job in life is to be a promiscuous interface to capture data. As it stands, the card is seen, the module is loaded and the interface comes up... it just doesn't see data.

- John
_________________
All that is necessary for the triumph of evil is that good men do nothing.
-- Edmund Burke (1729-1797)

paranode · l33t Joined: 06 Mar 2003 Posts: 679 Location: Texas

Maybe try:

grimshaw · Posted: Fri Aug 08, 2003 6:10 pm Post subject:

Oh, I'm snooping a busy link,there is plenty of traffic.

I put the source connection in question on the working 3com card and I see a consistant 30Mb/s stream.

Unfortunately, now I have to go manually visit the box to review what is captured instead of connecting remotely to the machine over the alternate ethernet card that plugs into a valid network port.

- John
_________________
All that is necessary for the triumph of evil is that good men do nothing.
-- Edmund Burke (1729-1797)

NeddySeagoon · Posted: Fri Aug 08, 2003 7:07 pm Post subject:

grimshaw,

There is no point in plugging a promiscious interface into a switch.
A switch learns what IP addresses (well MAC addresses) are on each port and only routes things to the right port.

You need a hub to snoop traffic, since a hub sends every packet to every port.

Regards,

NeddySeagoon
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

grimshaw · Posted: Fri Aug 08, 2003 7:42 pm Post subject:

Mostly true. Even on a switch I would see broadcast traffic and arp traffic. I saw neither when on a generic switchport.

However, the port in question is not a conventional switchport. It is a Cisco Catalyst 6509 (a switch/router) and I am spanning (this is a port mirror and has the same bridge properties you would essentially get on a conventional hub) another port.

Rest assured I am getting plenty of traffic delivered right to my port. One card sees it (the 3com), the other does not (the Intel).

I have no iptables or firewalling either.

- John
_________________
All that is necessary for the triumph of evil is that good men do nothing.
-- Edmund Burke (1729-1797)

y0n · n00b Joined: 25 Jun 2003 Posts: 47 Location: /dev/random

paranode · l33t Joined: 06 Mar 2003 Posts: 679 Location: Texas

y0n · n00b Joined: 25 Jun 2003 Posts: 47 Location: /dev/random

yeah my post was off topic....
_________________
Puffy saves.

fragbert