tcpdump only display in or out mac address, how to display both?
My OS version:CentOS Linux release 7.5.1804 (Core)
My tcpdump version:
tcpdump: option requires an argument -- 'V'
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips
26 Jan 2017
When command is tcpdump -i any -e -nn, the output is like this:
15:55:07.876878 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:07.876939 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:15.878019 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
15:55:15.878083 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
We can see that the output contains only "in" or "out" mac address, not both.
Howerver, in macOS, my tcpdump version is :
tcpdump: option requires an argument -- V
tcpdump version tcpdump version 4.9.2 -- Apple version 83.200.2
libpcap version 1.8.1 -- Apple version 79.200.4
LibreSSL 2.2.7
the output is like this:
13:58:58.699758 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383603998 ecr 0,sackOK,eol], length 0
13:58:59.703124 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383604999 ecr 0,sackOK,eol], length 0
13:59:00.709878 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383605999 ecr 0,sackOK,eol], length 0
We can see that the output contains both "in" and "out" mac address.
So, my question is, how can I make tcpdump in Centos display mac address like my macOS?, ie, display both "in" and "out" mac address.
(Added for OP since he doesn't have reputation, I think)
An example of the hex output is:
23:26:49.169360 In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 68: 172.16.248.1.62593 > 172.16.248.101.2020: Flags [.], ack 14720436, win 1983, options [nop,nop,TS val 568496069 ecr 131615210], length 0
0x0000: 0000 0001 0006 **0050 56c0 0008** 0000 0800
0x0010: 4548 0034 837c 0000 4006 ae77 ac10 f801
0x0020: ac10 f865 f481 07e4 55d8 41fc 6751 69a6
0x0030: 8010 07bf bdd9 0000 0101 080a 21e2 8fc5
0x0040: 07d8 49ea
23:26:49.171185 Out 00:0c:29:cb:e2:ab ethertype IPv4 (0x0800), length 4200: 172.16.248.101.2020 > 172.16.248.1.62593: Flags [P.], seq 14732048:14736180, ack 10297, win 380, options [nop,nop,TS val 131615212 ecr 568496070], length 4132
0x0000: 0004 0001 0006 **000c 29cb e2ab** 0000 0800
0x0010: 4512 1058 d695 4000 4006 0b70 ac10 f865
0x0020: ac10 f801 07e4 f481 6751 9702 55d8 41fc
0x0030: 8018 017c 58d3 0000 0101 080a 07d8 49ec
0x0040: 21e2 8fc6 e771 c1f5 87f2 15e9 9b2a c2cd
0x0050: dfce 5048 7123 1656 3fea eda7 ca39 d65c
0x0060: 3a6c b571 d6c2 5fad d39e 1605 4df6 946f
0x0070: 5657 7ef3 b85b dd66 48a7 bcd7 3567 a54f
macos centos7 tcpdump
edited Nov 25 '18 at 16:36
David Hoelzer
11.8k42753
asked Nov 5 '18 at 8:17
Gary AllenGary Allen
337
add a comment |
My OS version:CentOS Linux release 7.5.1804 (Core)
My tcpdump version:
tcpdump: option requires an argument -- 'V'
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips
26 Jan 2017
When command is tcpdump -i any -e -nn, the output is like this:
15:55:07.876878 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:07.876939 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:15.878019 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
15:55:15.878083 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
We can see that the output contains only "in" or "out" mac address, not both.
Howerver, in macOS, my tcpdump version is :
tcpdump: option requires an argument -- V
tcpdump version tcpdump version 4.9.2 -- Apple version 83.200.2
libpcap version 1.8.1 -- Apple version 79.200.4
LibreSSL 2.2.7
the output is like this:
13:58:58.699758 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383603998 ecr 0,sackOK,eol], length 0
13:58:59.703124 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383604999 ecr 0,sackOK,eol], length 0
13:59:00.709878 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383605999 ecr 0,sackOK,eol], length 0
We can see that the output contains both "in" and "out" mac address.
So, my question is, how can I make tcpdump in Centos display mac address like my macOS?, ie, display both "in" and "out" mac address.
(Added for OP since he doesn't have reputation, I think)
An example of the hex output is:
23:26:49.169360 In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 68: 172.16.248.1.62593 > 172.16.248.101.2020: Flags [.], ack 14720436, win 1983, options [nop,nop,TS val 568496069 ecr 131615210], length 0
0x0000: 0000 0001 0006 **0050 56c0 0008** 0000 0800
0x0010: 4548 0034 837c 0000 4006 ae77 ac10 f801
0x0020: ac10 f865 f481 07e4 55d8 41fc 6751 69a6
0x0030: 8010 07bf bdd9 0000 0101 080a 21e2 8fc5
0x0040: 07d8 49ea
23:26:49.171185 Out 00:0c:29:cb:e2:ab ethertype IPv4 (0x0800), length 4200: 172.16.248.101.2020 > 172.16.248.1.62593: Flags [P.], seq 14732048:14736180, ack 10297, win 380, options [nop,nop,TS val 131615212 ecr 568496070], length 4132
0x0000: 0004 0001 0006 **000c 29cb e2ab** 0000 0800
0x0010: 4512 1058 d695 4000 4006 0b70 ac10 f865
0x0020: ac10 f801 07e4 f481 6751 9702 55d8 41fc
0x0030: 8018 017c 58d3 0000 0101 080a 07d8 49ec
0x0040: 21e2 8fc6 e771 c1f5 87f2 15e9 9b2a c2cd
0x0050: dfce 5048 7123 1656 3fea eda7 ca39 d65c
0x0060: 3a6c b571 d6c2 5fad d39e 1605 4df6 946f
0x0070: 5657 7ef3 b85b dd66 48a7 bcd7 3567 a54f
macos centos7 tcpdump
edited Nov 25 '18 at 16:36
David Hoelzer
11.8k42753
asked Nov 5 '18 at 8:17
Gary AllenGary Allen
337
add a comment |
My OS version:CentOS Linux release 7.5.1804 (Core)
My tcpdump version:
tcpdump: option requires an argument -- 'V'
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips
26 Jan 2017
When command is tcpdump -i any -e -nn, the output is like this:
15:55:07.876878 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:07.876939 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:15.878019 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
15:55:15.878083 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
We can see that the output contains only "in" or "out" mac address, not both.
Howerver, in macOS, my tcpdump version is :
tcpdump: option requires an argument -- V
tcpdump version tcpdump version 4.9.2 -- Apple version 83.200.2
libpcap version 1.8.1 -- Apple version 79.200.4
LibreSSL 2.2.7
the output is like this:
13:58:58.699758 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383603998 ecr 0,sackOK,eol], length 0
13:58:59.703124 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383604999 ecr 0,sackOK,eol], length 0
13:59:00.709878 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383605999 ecr 0,sackOK,eol], length 0
We can see that the output contains both "in" and "out" mac address.
So, my question is, how can I make tcpdump in Centos display mac address like my macOS?, ie, display both "in" and "out" mac address.
(Added for OP since he doesn't have reputation, I think)
An example of the hex output is:
23:26:49.169360 In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 68: 172.16.248.1.62593 > 172.16.248.101.2020: Flags [.], ack 14720436, win 1983, options [nop,nop,TS val 568496069 ecr 131615210], length 0
0x0000: 0000 0001 0006 **0050 56c0 0008** 0000 0800
0x0010: 4548 0034 837c 0000 4006 ae77 ac10 f801
0x0020: ac10 f865 f481 07e4 55d8 41fc 6751 69a6
0x0030: 8010 07bf bdd9 0000 0101 080a 21e2 8fc5
0x0040: 07d8 49ea
23:26:49.171185 Out 00:0c:29:cb:e2:ab ethertype IPv4 (0x0800), length 4200: 172.16.248.101.2020 > 172.16.248.1.62593: Flags [P.], seq 14732048:14736180, ack 10297, win 380, options [nop,nop,TS val 131615212 ecr 568496070], length 4132
0x0000: 0004 0001 0006 **000c 29cb e2ab** 0000 0800
0x0010: 4512 1058 d695 4000 4006 0b70 ac10 f865
0x0020: ac10 f801 07e4 f481 6751 9702 55d8 41fc
0x0030: 8018 017c 58d3 0000 0101 080a 07d8 49ec
0x0040: 21e2 8fc6 e771 c1f5 87f2 15e9 9b2a c2cd
0x0050: dfce 5048 7123 1656 3fea eda7 ca39 d65c
0x0060: 3a6c b571 d6c2 5fad d39e 1605 4df6 946f
0x0070: 5657 7ef3 b85b dd66 48a7 bcd7 3567 a54f
macos centos7 tcpdump
edited Nov 25 '18 at 16:36
David Hoelzer
11.8k42753
asked Nov 5 '18 at 8:17
Gary AllenGary Allen
337
My OS version:CentOS Linux release 7.5.1804 (Core)
My tcpdump version:
tcpdump: option requires an argument -- 'V'
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips
26 Jan 2017
When command is tcpdump -i any -e -nn, the output is like this:
15:55:07.876878 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:07.876939 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:15.878019 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
15:55:15.878083 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
We can see that the output contains only "in" or "out" mac address, not both.
Howerver, in macOS, my tcpdump version is :
tcpdump: option requires an argument -- V
tcpdump version tcpdump version 4.9.2 -- Apple version 83.200.2
libpcap version 1.8.1 -- Apple version 79.200.4
LibreSSL 2.2.7
the output is like this:
13:58:58.699758 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383603998 ecr 0,sackOK,eol], length 0
13:58:59.703124 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383604999 ecr 0,sackOK,eol], length 0
13:59:00.709878 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383605999 ecr 0,sackOK,eol], length 0
We can see that the output contains both "in" and "out" mac address.
So, my question is, how can I make tcpdump in Centos display mac address like my macOS?, ie, display both "in" and "out" mac address.
(Added for OP since he doesn't have reputation, I think)
An example of the hex output is:
23:26:49.169360 In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 68: 172.16.248.1.62593 > 172.16.248.101.2020: Flags [.], ack 14720436, win 1983, options [nop,nop,TS val 568496069 ecr 131615210], length 0
0x0000: 0000 0001 0006 **0050 56c0 0008** 0000 0800
0x0010: 4548 0034 837c 0000 4006 ae77 ac10 f801
0x0020: ac10 f865 f481 07e4 55d8 41fc 6751 69a6
0x0030: 8010 07bf bdd9 0000 0101 080a 21e2 8fc5
0x0040: 07d8 49ea
23:26:49.171185 Out 00:0c:29:cb:e2:ab ethertype IPv4 (0x0800), length 4200: 172.16.248.101.2020 > 172.16.248.1.62593: Flags [P.], seq 14732048:14736180, ack 10297, win 380, options [nop,nop,TS val 131615212 ecr 568496070], length 4132
0x0000: 0004 0001 0006 **000c 29cb e2ab** 0000 0800
0x0010: 4512 1058 d695 4000 4006 0b70 ac10 f865
0x0020: ac10 f801 07e4 f481 6751 9702 55d8 41fc
0x0030: 8018 017c 58d3 0000 0101 080a 07d8 49ec
0x0040: 21e2 8fc6 e771 c1f5 87f2 15e9 9b2a c2cd
0x0050: dfce 5048 7123 1656 3fea eda7 ca39 d65c
0x0060: 3a6c b571 d6c2 5fad d39e 1605 4df6 946f
0x0070: 5657 7ef3 b85b dd66 48a7 bcd7 3567 a54f
macos centos7 tcpdump
macos centos7 tcpdump
edited Nov 25 '18 at 16:36
David Hoelzer
11.8k42753
asked Nov 5 '18 at 8:17
Gary AllenGary Allen
337
edited Nov 25 '18 at 16:36
David Hoelzer
11.8k42753
asked Nov 5 '18 at 8:17
Gary AllenGary Allen
337
edited Nov 25 '18 at 16:36
David Hoelzer
11.8k42753
edited Nov 25 '18 at 16:36
David Hoelzer
11.8k42753
edited Nov 25 '18 at 16:36
David Hoelzer
11.8k42753
11.8k42753
asked Nov 5 '18 at 8:17
Gary AllenGary Allen
337
asked Nov 5 '18 at 8:17
Gary AllenGary Allen
337
asked Nov 5 '18 at 8:17
Gary AllenGary Allen
337
337
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:
2 byte packet type
2 byte ARP_HRD type
2 byte address length
You can read more about this format here.
The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.
answered Nov 25 '18 at 16:33
David HoelzerDavid Hoelzer
11.8k42753
Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?
– Gary Allen
Nov 27 '18 at 17:49
That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something likemergecap
– David Hoelzer
Nov 27 '18 at 21:12
The link-layer address field contains the link-layer address of the sender of the packet. Thus I thinktcpdumpshows the source header only inLINUX_SLLmode.
– Sourav Ghosh
Jan 31 at 20:03
add a comment |
You might try using the -xx or the -XX options.
Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.
While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.
Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.
answered Nov 8 '18 at 0:57
David HoelzerDavid Hoelzer
11.8k42753
-xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.
– Gary Allen
Nov 20 '18 at 8:24
Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.
– David Hoelzer
Nov 20 '18 at 13:45
I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.
– Gary Allen
Nov 24 '18 at 14:50
Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.
– David Hoelzer
Nov 24 '18 at 16:38
Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.
– Gary Allen
Nov 25 '18 at 15:36
add a comment |
After some searches, https://wiki.wireshark.org/SLL, this article explains it.
answered Nov 27 '18 at 17:56
Gary AllenGary Allen
337
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53150610%2ftcpdump-only-display-in-or-out-mac-address-how-to-display-both%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:
2 byte packet type
2 byte ARP_HRD type
2 byte address length
You can read more about this format here.
The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.
answered Nov 25 '18 at 16:33
David HoelzerDavid Hoelzer
11.8k42753
Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?
– Gary Allen
Nov 27 '18 at 17:49
That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something likemergecap
– David Hoelzer
Nov 27 '18 at 21:12
The link-layer address field contains the link-layer address of the sender of the packet. Thus I thinktcpdumpshows the source header only inLINUX_SLLmode.
– Sourav Ghosh
Jan 31 at 20:03
add a comment |
You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:
2 byte packet type
2 byte ARP_HRD type
2 byte address length
You can read more about this format here.
The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.
answered Nov 25 '18 at 16:33
David HoelzerDavid Hoelzer
11.8k42753
Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?
– Gary Allen
Nov 27 '18 at 17:49
That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something likemergecap
– David Hoelzer
Nov 27 '18 at 21:12
The link-layer address field contains the link-layer address of the sender of the packet. Thus I thinktcpdumpshows the source header only inLINUX_SLLmode.
– Sourav Ghosh
Jan 31 at 20:03
add a comment |
You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:
2 byte packet type
2 byte ARP_HRD type
2 byte address length
You can read more about this format here.
The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.
answered Nov 25 '18 at 16:33
David HoelzerDavid Hoelzer
11.8k42753
You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:
2 byte packet type
2 byte ARP_HRD type
2 byte address length
You can read more about this format here.
The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.
answered Nov 25 '18 at 16:33
David HoelzerDavid Hoelzer
11.8k42753
answered Nov 25 '18 at 16:33
David HoelzerDavid Hoelzer
11.8k42753
answered Nov 25 '18 at 16:33
David HoelzerDavid Hoelzer
11.8k42753
answered Nov 25 '18 at 16:33
David HoelzerDavid Hoelzer
11.8k42753
11.8k42753
Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?
– Gary Allen
Nov 27 '18 at 17:49
That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something likemergecap
– David Hoelzer
Nov 27 '18 at 21:12
The link-layer address field contains the link-layer address of the sender of the packet. Thus I thinktcpdumpshows the source header only inLINUX_SLLmode.
– Sourav Ghosh
Jan 31 at 20:03
add a comment |
Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?
– Gary Allen
Nov 27 '18 at 17:49
That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something likemergecap
– David Hoelzer
Nov 27 '18 at 21:12
The link-layer address field contains the link-layer address of the sender of the packet. Thus I thinktcpdumpshows the source header only inLINUX_SLLmode.
– Sourav Ghosh
Jan 31 at 20:03
Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?
– Gary Allen
Nov 27 '18 at 17:49
Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?
– Gary Allen
Nov 27 '18 at 17:49
That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something like
mergecap– David Hoelzer
Nov 27 '18 at 21:12
That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something like
mergecap– David Hoelzer
Nov 27 '18 at 21:12
The link-layer address field contains the link-layer address of the sender of the packet. Thus I think
tcpdump shows the source header only in LINUX_SLL mode.– Sourav Ghosh
Jan 31 at 20:03
The link-layer address field contains the link-layer address of the sender of the packet. Thus I think
tcpdump shows the source header only in LINUX_SLL mode.– Sourav Ghosh
Jan 31 at 20:03
add a comment |
You might try using the -xx or the -XX options.
Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.
While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.
Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.
answered Nov 8 '18 at 0:57
David HoelzerDavid Hoelzer
11.8k42753
-xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.
– Gary Allen
Nov 20 '18 at 8:24
Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.
– David Hoelzer
Nov 20 '18 at 13:45
I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.
– Gary Allen
Nov 24 '18 at 14:50
Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.
– David Hoelzer
Nov 24 '18 at 16:38
Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.
– Gary Allen
Nov 25 '18 at 15:36
add a comment |
You might try using the -xx or the -XX options.
Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.
While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.
Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.
answered Nov 8 '18 at 0:57
David HoelzerDavid Hoelzer
11.8k42753
-xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.
– Gary Allen
Nov 20 '18 at 8:24
Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.
– David Hoelzer
Nov 20 '18 at 13:45
I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.
– Gary Allen
Nov 24 '18 at 14:50
Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.
– David Hoelzer
Nov 24 '18 at 16:38
Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.
– Gary Allen
Nov 25 '18 at 15:36
add a comment |
You might try using the -xx or the -XX options.
Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.
While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.
Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.
answered Nov 8 '18 at 0:57
David HoelzerDavid Hoelzer
11.8k42753
You might try using the -xx or the -XX options.
Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.
While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.
Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.
answered Nov 8 '18 at 0:57
David HoelzerDavid Hoelzer
11.8k42753
answered Nov 8 '18 at 0:57
David HoelzerDavid Hoelzer
11.8k42753
answered Nov 8 '18 at 0:57
David HoelzerDavid Hoelzer
11.8k42753
answered Nov 8 '18 at 0:57
David HoelzerDavid Hoelzer
11.8k42753
11.8k42753
-xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.
– Gary Allen
Nov 20 '18 at 8:24
Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.
– David Hoelzer
Nov 20 '18 at 13:45
I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.
– Gary Allen
Nov 24 '18 at 14:50
Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.
– David Hoelzer
Nov 24 '18 at 16:38
Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.
– Gary Allen
Nov 25 '18 at 15:36
add a comment |
-xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.
– Gary Allen
Nov 20 '18 at 8:24
Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.
– David Hoelzer
Nov 20 '18 at 13:45
I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.
– Gary Allen
Nov 24 '18 at 14:50
Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.
– David Hoelzer
Nov 24 '18 at 16:38
Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.
– Gary Allen
Nov 25 '18 at 15:36
-xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.
– Gary Allen
Nov 20 '18 at 8:24
-xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.
– Gary Allen
Nov 20 '18 at 8:24
Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.
– David Hoelzer
Nov 20 '18 at 13:45
Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.
– David Hoelzer
Nov 20 '18 at 13:45
I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.
– Gary Allen
Nov 24 '18 at 14:50
I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.
– Gary Allen
Nov 24 '18 at 14:50
Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.
– David Hoelzer
Nov 24 '18 at 16:38
Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.
– David Hoelzer
Nov 24 '18 at 16:38
Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.
– Gary Allen
Nov 25 '18 at 15:36
Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.
– Gary Allen
Nov 25 '18 at 15:36
add a comment |
After some searches, https://wiki.wireshark.org/SLL, this article explains it.
answered Nov 27 '18 at 17:56
Gary AllenGary Allen
337
add a comment |
After some searches, https://wiki.wireshark.org/SLL, this article explains it.
answered Nov 27 '18 at 17:56
Gary AllenGary Allen
337
add a comment |
After some searches, https://wiki.wireshark.org/SLL, this article explains it.
answered Nov 27 '18 at 17:56
Gary AllenGary Allen
337
After some searches, https://wiki.wireshark.org/SLL, this article explains it.
answered Nov 27 '18 at 17:56
Gary AllenGary Allen
337
answered Nov 27 '18 at 17:56
Gary AllenGary Allen
337
answered Nov 27 '18 at 17:56
Gary AllenGary Allen
337
answered Nov 27 '18 at 17:56
Gary AllenGary Allen
337
337
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53150610%2ftcpdump-only-display-in-or-out-mac-address-how-to-display-both%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
