Packet captures: filtering on RX vs TX

linux tcpdump interface pcap
12,974

Use --direction option to tcpdump:

-Q direction
--direction=direction
       Choose send/receive direction direction for which packets should be
       captured. Possible values are `in', `out' and `inout'. Not available on
       all platforms.
Share:
12,974
Joshua Miller
Author by

Joshua Miller

Updated on September 18, 2022

Comments

  • Joshua Miller
    Joshua Miller over 1 year

    I have a network problem where frames with a source MAC which matches with one of my host's source MACs are arriving at the host - an apparent duplicate MAC, or loop, or other L2 problem.

    I believe this is the situation because the MAC tables (CAM tables) of my linux bridge register a local MAC (for a hosted virtual machine ) as being on the upstream port, and the kernel logs show errors:

    bridgename: received packet on bond0.2222 with own address as source address

    I'd like to get more details about these "rogue" packets / frames, but I can't figure out how to zero in on them. With tcpdump you can filter on a particular source MAC ( 'ether src MAC' ), but this is based on the bytes in the frame - not whether the frame was "sent out" versus "received in". We usually assume a frame with our source MAC means we're sending it out, but if a duplicate frame were received, the contents would look exactly the same to the filter.

    How can one observe whether a frame was received versus transmitted in a packet capture?

    • Admin
      Admin over 9 years
      Doesn't tcpdump -i <interface> inbound (or "outbound") work ?
    • Joshua Miller
      Joshua Miller over 9 years
      The man page seems to indicate that's limited to SLIP. When I try it against any of my interfaces (loopback, eth/em, bond, vlan, tap ...) tcpdump says: "tcpdump: inbound/outbound not supported on linktype 1"
    • lsmooth
      lsmooth over 9 years
      It doesn't answer your question, but using iptables and ulogd you would be able to get a pcap with only the interesting packets in it.
    • PersianGulf
      PersianGulf over 9 years
      use tcpdump -L for see supported interfaces,
    • PersianGulf
      PersianGulf over 9 years
      use ngrep -d dev
    • Joshua Miller
      Joshua Miller over 9 years
      It seems "inbound"/"outbound" works for the 'any' interface, but it doesn't seem to be reliable. On a CentOS boxes it appears to work, but on Ubuntu is appears to work, but filter all packets.
  • kasperd
    kasperd over 9 years
    @JoshuaMiller I just checked the tcpdump man page on Ubuntu 14.04, and an option with the exact same description exists, but it is called -P rather than -Q (and the long form isn't mentioned).
  • Joshua Miller
    Joshua Miller over 9 years
    @kasperd You're right! tcpdump 4.5.1 actually has -P. Perhaps the functionality isn't as new as I originally thought.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What do "Unknown SSAP" and "Unknown DSAP" mean in tcpdump?
tcpdump error message "That device doesn't support monitor mode"
Using tcpdump, how do I see as plainly as possible an unencrypted SMTP conversation?
TCP Server sends [ACK] followed by [PSH,ACK]
how to read pcap file, filter by ip address and port then write data to another file
how to verify tcp checksum
How to see all Request URLs the server is doing (final URLs)
How to see outgoing ESP packets in tcpdump before they get encrypted
Parsing pcap taken from wireshark file using - Java
"tail -f" using "tcpdump -r"