Hi

To set up a laptop for sniffing traffic i use the following commands:

ifconifg eth0 0.0.0.0 promisc up -arp
ifconifg eth2 0.0.0.0 promisc up -arp
brctl addbr br0
brctl setfd br0 0
brctl addif br0 eth0
brctl addif br0 eth2
brctl stp br0 off
ifconfig br0 0.0.0.0 up promisc -arp

This works quite well, except for one thing, which may be purely of theoretical interest:
On one interface i receive some packets which has the same mac-address in both source and destination and which wireshark lists as being reply messages of protocol "LOOP". In the packet overview the protocol is called Configuration Test Protocol (loopback). These packets show on the bridge too, but not on the other interface. I guess a target of snooping could use the lack of these messages as a sign of snooping?

I hope someone can enlighten me on this matter.

Best regards,
Lasse

If it's not meant to be routed over the bridge then I don't see the problem.
http://www.mit.edu/people/jhawk/ctp.html for details.

Googled for "Configuration Test Protocol (loopback)"

Ended up at: http://wiki.wireshark.org/Loop

It looks like it's part of a spec that some people implement (Cisco) and some don't. You aren't going to be able to do much to stop it. It doesn't look like it's something that's SUPPOSED to be bridged by Linux bridging code. Most likely, you have a router somewhere that's generating these packets and Linux is just plain ignoring because, as that link says, it's not "real" Ethernet but a hangover from an earlier design.

To be honest, I don't think that there's much you can do. And nobody is really going to notice an obscure protocol like that being "missing". They'll think you've just turned off the option in your router.