Packet captures: filtering on RX vs TX
Use --direction
option to tcpdump:
-Q direction
--direction=direction
Choose send/receive direction direction for which packets should be
captured. Possible values are `in', `out' and `inout'. Not available on
all platforms.
Joshua Miller
Updated on September 18, 2022Comments
-
Joshua Miller over 1 year
I have a network problem where frames with a source MAC which matches with one of my host's source MACs are arriving at the host - an apparent duplicate MAC, or loop, or other L2 problem.
I believe this is the situation because the MAC tables (CAM tables) of my linux bridge register a local MAC (for a hosted virtual machine ) as being on the upstream port, and the kernel logs show errors:
bridgename: received packet on bond0.2222 with own address as source address
I'd like to get more details about these "rogue" packets / frames, but I can't figure out how to zero in on them. With tcpdump you can filter on a particular source MAC ( 'ether src MAC' ), but this is based on the bytes in the frame - not whether the frame was "sent out" versus "received in". We usually assume a frame with our source MAC means we're sending it out, but if a duplicate frame were received, the contents would look exactly the same to the filter.
How can one observe whether a frame was received versus transmitted in a packet capture?
-
Admin over 9 yearsDoesn't
tcpdump -i <interface> inbound
(or "outbound") work ? -
Joshua Miller over 9 yearsThe man page seems to indicate that's limited to SLIP. When I try it against any of my interfaces (loopback, eth/em, bond, vlan, tap ...) tcpdump says: "tcpdump: inbound/outbound not supported on linktype 1"
-
lsmooth over 9 yearsIt doesn't answer your question, but using iptables and ulogd you would be able to get a pcap with only the interesting packets in it.
-
PersianGulf over 9 yearsuse
tcpdump -L
for see supported interfaces, -
PersianGulf over 9 yearsuse
ngrep -d dev
-
Joshua Miller over 9 yearsIt seems "inbound"/"outbound" works for the 'any' interface, but it doesn't seem to be reliable. On a CentOS boxes it appears to work, but on Ubuntu is appears to work, but filter all packets.
-
-
kasperd over 9 years@JoshuaMiller I just checked the
tcpdump
man page on Ubuntu 14.04, and an option with the exact same description exists, but it is called-P
rather than-Q
(and the long form isn't mentioned). -
Joshua Miller over 9 years@kasperd You're right! tcpdump 4.5.1 actually has -P. Perhaps the functionality isn't as new as I originally thought.