nic card speed... tcpdump and ethtool say different things which one is real... and how do I set it?

When I do an ethtool command I get:

[root@linux2 /]# ethtool eth0
Settings for eth0:
        Supported ports: [ TP MII ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
        Advertised auto-negotiation: Yes
        Speed: 100Mb/s
        Duplex: Full
        Port: MII
        PHYAD: 24
        Transceiver: internal
        Auto-negotiation: on
        Current message level: 0x00000001 (1)
        Link detected: yes
[root@linux2 /]#

But when I run Tcpdump I get this:

[root@linux2 /]# tcpdump -C 1 -w dumptest
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12 packets captured
12 packets received by filter
0 packets dropped by kernel
[root@linux2 /]#

In ethtool it says I am running at 100MB but tcpdump says the link-type is 10MB.  Which one is the real one and how do I set them the same.  The further problem is this.  I have a linksys hub.  When sniffing in promiscuous mode, the hub is only sending data directed towards the machine in question.  All other traffic is not being broadcast from the hub to the sniffing machine.  I think this is due to some sort of limitation on linksys's part.  They say on their website...

"The Linksys hubs only operate at Half-Duplex speed and they broad cast a packet to all the nodes on the network (the Auto- sensing hubs broadcast the 10Mb packets to the port that operate at 10Mb only and broadcast the 100Mb packets to the ports that operate at 100Mb only."

So essentially if the the nic in the linux box is listening at 10MB, it will not hear anything coming from a 100MB connection on a 10/100MB hub.  I need to make sure the nic is listening at 100MB or set it to do so.  

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

> link-type EN10MB (Ethernet)
it does not mean, that Your link is 10Mbps. It only means, that it is of type: Ethernet (it might be 10G as well).

other examples of lik types are:
  EN10MB (Ethernet)
  IEEE802_11 (802.11)
  IEEE802_11_RADIO (802.11 plus radio information header)
And about the second part.
It's not limitation of linksys, but from design.
In normal circumstances it's better, that hub does not forward all traffic to all ports. If anyone untrusted would be able to connect to it, he could sniff Your traffic.
And this behaviour increases the bandwitch that switch can handle, and eliminates collisions.
RebelnorthAuthor Commented:
Ok cool... but I want to sniff... so what do you suggest I do?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Configure the switch to forward all traffic to Your port. However I don't know if Your switch has this option.
Configure Your switch to half-duplex mode.
Downgrade to HUB.

Compromise Your switch mac-table, but then, this forum is not hacking guide, sorry.
RebelnorthAuthor Commented:
Its not a switch.  Its a hub.  Thats the reason we bought it.  
I am not attempting to hack.  I am attempting to monitor the network traffic in my own network.  I have an older linksys hub not attached to the same segment where the sniffing box works just fine.  However this linksys hub (and another duplicate piece of hardware bought at the same time) do not work fine... they only allow messages destined for the address of the sniffing box.  Per linksys there is no difference between the two hubs technologically.  Except that the new ones are four port and the old one is an 8 port.  I cant switch the old one with the new ones because the old one is in use.

The new one is an unmanged hub.

I guess the question I should ask is: how do I change the speed my nic cards are listening and transmitting at?
First, it's most common case, that the hubs are: switched hubs
About Your network card speed:
- look into kernel module options, it's common that driver can set the speed
- look for ethtool programm options (ethtool -s eth0 duplex half)
And note, that If You set Your card to 10M/half-duplex, then most of packets from 100M network will be dropped anyway.
What is the exact model of your Linksys? From what ethtool is showing (100Mb/FDX) I'd suspect it to be a switch, not a hub, which would explain why you aren't seeing all of the traffic. The very nature of a hub limits it to half duplex operation, but your NIC is operating in full duplex mode, which makes me think it a switch.

If you use a hub ethtool should show 100Mb/HDX and you will see all traffic that passes through the hub.
RebelnorthAuthor Commented:
Its a EFAH05W 10/100 workgroup hub, Linksys said it was a hub.  And it doesnt say anywhere in the documentation that it is a switched hub.  But its behaving as if it IS a switched hub?  What do you think?
I'd agree that it looks like you have a hub from the product literature, in which case your NIC is misnegotiating the link mode, since a hub is a half-duplex device. You could try using ethtool to set the correct link mode and see if that helps.
Linksys is notorious for not supporting NWays autonegotiation in their products, and many of those that do support it, don't work consistently. If you know the network speed (ie your nic, router, and cable are up to it) then you can force your NIC to 100mbps. Consult your distro's manual/docs on this. However more recent products should all support NWays for automatic rate and duplex negotiation.

As for your problem, this can really only be happening if your 'hub' is acting as a switch or at least has MAC tables.

You can do several things.

You can spoof your local gateway. That is, you need to make your system spoof as the LAN's gateway.

arspoof IP.OF.LOCAL.GATEWAY>/dev/null

 But if you do this, make SURE you enable IP forwarding on your box also or you'll send your LAN's packets into the abyss.

echo 1 > /proc/sys/net/ipv4/ip_forward.

I can't tell you how to do this specifically as you don't say what distro/version you are using.
Though the above will get it running for that session anyway.
I assume it's a professional distro which should have manuals to help you set it permanantly on the network monitor box.

Also you can force your 'hub' to run in open mode, passing all packets to every port by overloading it's mac table. You can use 'macof' from the dsniff package. (see )

Using macof is easier, but not something you want to be running all the time. Your LAN performance will suffer.

Ideally you should replace the 'hub' with a real hub. Or upgrade to a professional switch with he ability to do this kind of management itself.

RebelnorthAuthor Commented:
Hmmm Im having trouble trying to change the mode to half duplex
I type ethtool -s eth0 duplex half

but it doesnt do anything? Am I missing something?
By "it doesnt do anything" do you mean that after executing 'ethtool -s eth0 duplex half' executing 'ethtool eth0' still shows the mode as Full?
Are you running it as root?

Also, why are you forcing half duplex?
Given your hub is acting like a switch, you should probably use full duplex.

Anyway, I'd call LinkSys and ask them if this thing really is a hub or a switch. And why you can't monitor your network through it.
RebelnorthAuthor Commented:
First question:
When I execute the command it just brings up a command prompt.  Then when I run ethtool it still says the mode is full.  I rebooted just in case and it still said it was full.

Second question:
I am running as root.  Im attempting to force half duplex to see if it works, since full duplex isnt working the way I want it too.  I called linksys already, they said it was not a switch.  I told them it was acting like a switch.  They told me it was not a switch.  I told them I have another older linksys hub (8 port instead of 4) that is working like a hub and I can sniff on that.  I also told them I bought two 4 port hubs and both 4 port hubs are working like switches.   They told me that my four port hub is the same technology as the 8 port and that all the four port hubs are hubs not switches.  

Unfortunately that leaves me with the only option of trying to determine if they are wrong. Or my equipment is malfunctioning or misconfigured in some way (its most likely my fault).  

There are only three devices attached to the hub in question.  A router with 100mb Half duplex on the interface attached.  A 10/100 non intelligent switch, and a linux box that currently reads 100 Full duplex.

Assuming that the switch is attached at half duplex.  And that as a previous poster mentioned hubs work at half duplex, then the hub (which isnt intelligent and cant be controlled) is auto negotiating with the linux box for 100mb or something else is happening.  I want to force half duplex to see what happens.
There are some NIC's that neither ethtool nor mii-diag can change (the one on my laptop can't be changed by either). That may be the case here and switching to a different Make/Model on NIC would be the appropriate action. That change in NIC's might eliminate the duplex mismatch.

FYI: On a NIC that ethtool can manipulate when you execute 'ethtool -s eth0 duplex half' you'll simply get a shell command prompt. The utility doesn't emit and success/failure messages. It is necessary to execute 'ethtool eth0' to see if it worked.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RebelnorthAuthor Commented:
Is there any sort of listing of those that can and cannot be changed?
RebelnorthAuthor Commented:
Nic type is:
3com corporation 3c905b 100base TX [cyclone]
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.