I thought I would use knoppix 3.2 as a protocol analyzer. I can boot up just fine without any issues. I have my switch setup to port mirror. After I bring up a console in KDE and type: tcpdump about a million packets go flying by the screen so I know that my network card is seeing all traffic. As soon as I try to filter these packets with a command such as: tcpdump -i eth0 host 192.168.1.1 using an actual ip address that I know traffic is going to and from, I don't see anything. I've checked the tcpdump manual but it is as if any expression that is added to the end of tcpdump seems to kill it's ability to see any traffic. Has anyone seen this problem or can confirm that I'm not doing something wrong? I am in the process of getting the latest 3.3 9-24-03 version to see if this makes any difference. I've also tried Ethereal under KDE and as long as I just capture anything to the port everything is seen but when trying to use a filter to limit what's captured it fails also.

thanks in advance,