hello everybody

i try to setup network monitoring server.
i have a server with two interfaces eth0 and eth1.
eth0 is set with default setings, and eth1 is connected to a mirrored port on my switch to catch all the traffic on my network.
but the problem is, when i start iptraf an i monitor eth1, i see only non-ip traffic, is that normal ?

config line for eth1 in /etc/network/interfaces

auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Thanks for your help.

Thomas

Which monitoring option are you using?

This is what is does with me:

LAN station monitor shows the ethernet addresses
IP traffic monitor shows the IP address and the port number

i just use iptraf without options

don't you get a menu with options to choose from when you startup iptraf?

what do you see when you run iptraf?

i see that.

Attached Thumbnails

 

A few things you could try:
- toggle the promiscuous setting in iptraf
- check if the IP traffic arrives at your pc
the following command should list some IP packets:It captures the first 1000 packets that arrive at eth1

Edit: You do realise that those numbers that you see in your screenshot are mac addresses? I see one from a Cisco NIC, some from a D-Link NIC, and some of manufacturers I've never heard off

yes i know this is mac address, but i don't understand why iptraf don't "read" the packet. because it seems to work with tcpdump.

do you think it's because of a vlan ?

i put the promisc mode on in iptraf

I don't know the inner workings of iptraf.

You say the packets arrive on the network interface, so that isn't the problem. (AFAIK end devices don't know if they are in a Vlan or not, but I'm not certain)

Does iptraf filter any traffic (Filter...->IP...) ?
That is my last guess. Those non-IP packets probably really are non-IP packets, they all are 183 bytes.

Good luck.