You must understand that the networking system is a multi-layered stack. At the lowest level is the actual hardware and the drivers that represent it to the rest of the system.
The driver of the actual physical NIC eth2 basically receives everything that comes in through the NIC. At this point, the counters for eth2 are increased.
The next step after the physical NIC driver is the VLAN layer, which can maintain virtual interfaces that behave just like NICs (eth2.11 and eth2.12).
If the traffic belongs to VLAN 11 or VLAN 12, it is passed to the "virtual NICs" eth2.11 or eth2.12 and the counters of those virtual NICS are increased. Otherwise it passes this layer as "belonging to eth2".
The next step is the network layer (usually IP, but may be IPX, Appletalk, x25 or whatever). It sees three separate network interfaces: eth2, eth2.11 and eth2.12. It does not know nor care that only one of these is an actual physical NIC.
In your configuration, the network layer works normally for any traffic coming in from eth2.11 and eth2.12: it verifies that the destination IP address is correct and passes the packets to the transport layer (usually TCP, UDP or ICMP, but there are other transport layer protocols). But for eth2, there is no IP address configured, so the IP layer simply discards the packets at this point.
So the non-VLAN eth2 traffic first passes through the hardware, driver and VLAN layers, incrementing the counters for eth2, but is ignored at the IP layer.
Tcpdump, Wireshark and other tools like it connect to the NIC at very low level. You don't need to assign an IP address to eth2 to be able to use tcpdump or wireshark to monitor the traffic.
MK
MK
