9

I have a network problem where frames with a source MAC which matches with one of my host's source MACs are arriving at the host - an apparent duplicate MAC, or loop, or other L2 problem.

I believe this is the situation because the MAC tables (CAM tables) of my linux bridge register a local MAC (for a hosted virtual machine ) as being on the upstream port, and the kernel logs show errors:

bridgename: received packet on bond0.2222 with own address as source address

I'd like to get more details about these "rogue" packets / frames, but I can't figure out how to zero in on them. With tcpdump you can filter on a particular source MAC ( 'ether src MAC' ), but this is based on the bytes in the frame - not whether the frame was "sent out" versus "received in". We usually assume a frame with our source MAC means we're sending it out, but if a duplicate frame were received, the contents would look exactly the same to the filter.

How can one observe whether a frame was received versus transmitted in a packet capture?

PersianGulf
  • 596
  • 6
  • 21
Joshua Miller
  • 1,368
  • 2
  • 11
  • 14
  • 1
    Doesn't `tcpdump -i inbound` (or "outbound") work ? –  Sep 17 '14 at 03:23
  • The man page seems to indicate that's limited to SLIP. When I try it against any of my interfaces (loopback, eth/em, bond, vlan, tap ...) tcpdump says: "tcpdump: inbound/outbound not supported on linktype 1" – Joshua Miller Sep 17 '14 at 16:14
  • 2
    It doesn't answer your question, but using iptables and ulogd you would be able to get a pcap with only the interesting packets in it. – lsmooth Sep 17 '14 at 20:57
  • use `tcpdump -L` for see supported interfaces, – PersianGulf Sep 20 '14 at 12:37
  • use `ngrep -d dev` – PersianGulf Sep 20 '14 at 12:40
  • It seems "inbound"/"outbound" works for the 'any' interface, but it doesn't seem to be reliable. On a CentOS boxes it appears to work, but on Ubuntu is appears to work, but filter all packets. – Joshua Miller Sep 23 '14 at 05:39

2 Answers2

8

Use --direction option to tcpdump:

-Q direction
--direction=direction
       Choose send/receive direction direction for which packets should be
       captured. Possible values are `in', `out' and `inout'. Not available on
       all platforms.
abacabadabacaba
  • 309
  • 1
  • 3
  • 5
  • 1
    This option only appears to be available with the most recent stable release of tcpdump - 4.6.2. But after building it on ubuntu, it appears to successfully differentiate between inbound vs outbound frames. Huzzah! – Joshua Miller Sep 23 '14 at 06:37
  • 1
    @JoshuaMiller I just checked the `tcpdump` man page on Ubuntu 14.04, and an option with the exact same description exists, but it is called `-P` rather than `-Q` (and the long form isn't mentioned). – kasperd Sep 24 '14 at 10:57
  • @kasperd You're right! tcpdump 4.5.1 actually has -P. Perhaps the functionality isn't as new as I originally thought. – Joshua Miller Sep 24 '14 at 16:40
0

With iptables, you have different 'chains' for incoming and outgoing packets. From the iptables(8) man page:

... the chains INPUT and OUTPUT are only traversed for packets coming into 
the local host and originating from the local host  respectively.   Hence 
every  packet  only  passes  through one of the three chains (except 
loopback traffic, which involves both INPUT and OUTPUT chains) ...

iptables can do some logging (-l), which might show you what you need. It can presumably also forward copies of packets to an interface for logging with other tools, but I haven't had reason to do that.

mc0e
  • 5,786
  • 17
  • 31