snoop -P is a lie
Copied from my original bug report in OS-7886.
The snoop man page says the following about the -P option.
-P Capture packets in non-promiscuous mode. Only broadcast, multicast, or packets addressed to the host machine will be seen.
The point is to avoid putting the NIC in promisc mode, but it ends up doing just that. If you trace the code you'll see that the MAC promisc callback (
mac_setpromisc_t) is limited to a true/false API. And that the drivers must assume that turning promisc on means accepting all unicast and multicast traffic.
Part of the problem is that the documentation is a bit vague here. I can't tell if the intention is to see all multicast traffic, or just multicast traffic the host is interested in. If it's the former, then that would explain the current behavior: the only way to see all mutlicast traffic is to put the NIC in multicast promisc mode, and the only way to do that is by also turning on unicast promisc. If this is the desired behavior (to see all multicast promisc), then we need a more robust MAC API that allows us to differentiate between the various promisc modes. That is, turn on multicast promisc without also enabling unicast. However, if the true intention is to only see multicast that the host is a member of, then we have a bug in snoop to fix: it should request only
DLS_PROMISC_SAP and NOT