Tcpdump cannot capture none-broadcast/multicast packets from bridge interface in OpenWRT

(Originally, I posted it on StackOverflow. I move it to networkengineering and then here.)

I have TP-LINK WR841N v9 router and install OpenWRT firmware CHAOS CALMER (15.05.1, r48532).

I have /etc/config/network content:

config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '10.15.252.3'
option netmask '255.255.254.0'
option gateway '10.15.252.1'
option ifname 'eth0 eth1'


Here is the output of ip link ls:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP mode DEFAULT group default qlen 1000
link/ether c4:6e:1f:b6:8e:24 brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc fq_codel master br-lan state DOWN mode DEFAULT group default qlen 1000
link/ether c4:6e:1f:b6:8e:25 brd ff:ff:ff:ff:ff:ff
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether c4:6e:1f:b6:8e:24 brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether c4:6e:1f:b6:8e:24 brd ff:ff:ff:ff:ff:ff


I have two computers cable-connecting to 2 of the 4 LAN ports. Let's say computer A and B.

1. A keeps pinging B and it works well.
2. On the router, I use tcpdump to captuer traffic from bridge br-lan: tcpdump -i br-lan -n 'arp or icmp'.

I did see arp traffic, but there are no ICMP traffic.

I tried to setup iptables rules to block traffic to B in both INPUT and output chain, and it's not working.

Here is the output of command brctl and ip:

bridge name bridge id STP enabled interfaces
br-lan 7fff.c46e1fb68e24 no eth0
eth1



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
63107 580 0 0 0 0
TX: bytes packets errors dropped carrier collsns
63107 580 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP mode DEFAULT group default qlen 1000
link/ether c4:6e:1f:b6:8e:24 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
64256004 445450 0 6 0 0
TX: bytes packets errors dropped carrier collsns
8775980 43685 0 0 0 0
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc fq_codel master br-lan state DOWN mode DEFAULT group default qlen 1000
link/ether c4:6e:1f:b6:8e:25 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether c4:6e:1f:b6:8e:24 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
5: br-lan: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether c4:6e:1f:b6:8e:24 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
57777761 444757 0 60579 0 0
TX: bytes packets errors dropped carrier collsns
8871188 44499 0 0 0 0

There are surely lots of TX and RX packets on interfaces.

So, my questions are:
1. How to use tcpdump to caputer traffic flow through bridge br-lan? (Bridge works on layer-2 and it is suppose to work, isn't it?)
2. If I want to mirror traffic in/out of computer B to another port(e.g wan port), what should I do? (I tried to use this port-mirroring tool, but it is not working.)

(I want to try ebtables, but I couldn't get it installed on the router due to insufficient space. Also, I couldn't find tool bridge to check the forward DB on the bridge.)

I found another relevant thread: Tcpdump/Iptables on bridge interface without assigned IP address and tcpdump on bridge interface (virbr) does not receive any packets destined for one of its addresses, but it's not working.