On Feb 6, 6:01 pm, fprilme...@amadeus.com wrote:
> Hi NG,
>
> for a custom application I am supposed to setup a passive capturing
> tool for traffic analysis purposes, using a tool similar to tcpdump
> (actually tcpdump is also used for troubleshooting). My network
> engineer has set up a tap (or span) port from the switch, so the
> traffic to be captured is sent to a dedicated NIC.
>
> The network engineer told me that from a network perspective this is
> to be seen as a Layer 2 Point-to-Point link (which is not the same as
> PPP). Since I am very unfamiliar about this setup - I have never done
> something similar before - and all the search results I have seen so
> far are either about PPP or Point-to-Point links, I want to know how
> this looks like from a Linux perspective.
>
> Especially:
> * Do I need an IP address for that NIC? - Since there is actually no
> traffic for my capturing host going in through that NIC, I don't think
> so, but then all the examples I have seen tell something different.
> Traffic is unidirectional.
> * Is there anything other special I need to obeye? - My capturing host
> must not respond to any traffic going in that NIC.

Make sure your interface is set to promisc:

ifconfig etho promisc

This allows tcpdump to capture ALL packets regardless of subnet.

Other than that turn off all unnecessary daemons/services on you
capture host if you don't want it to respond to anything. You may even
want to turn off ping response:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

If you're really paranoid, install a firewall and block all outgoing
traffic.