tcpdump only display in or out mac address, how to display both?












1















My OS version:CentOS Linux release 7.5.1804 (Core)



My tcpdump version:



tcpdump: option requires an argument -- 'V'
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips
26 Jan 2017


When command is tcpdump -i any -e -nn, the output is like this:



15:55:07.876878  **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:07.876939 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:15.878019 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
15:55:15.878083 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0


We can see that the output contains only "in" or "out" mac address, not both.



Howerver, in macOS, my tcpdump version is :



tcpdump: option requires an argument -- V
tcpdump version tcpdump version 4.9.2 -- Apple version 83.200.2
libpcap version 1.8.1 -- Apple version 79.200.4
LibreSSL 2.2.7


the output is like this:



13:58:58.699758 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383603998 ecr 0,sackOK,eol], length 0
13:58:59.703124 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383604999 ecr 0,sackOK,eol], length 0
13:59:00.709878 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383605999 ecr 0,sackOK,eol], length 0


We can see that the output contains both "in" and "out" mac address.



So, my question is, how can I make tcpdump in Centos display mac address like my macOS?, ie, display both "in" and "out" mac address.





(Added for OP since he doesn't have reputation, I think)



An example of the hex output is:



23:26:49.169360 In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 68: 172.16.248.1.62593 > 172.16.248.101.2020: Flags [.], ack 14720436, win 1983, options [nop,nop,TS val 568496069 ecr 131615210], length 0

0x0000: 0000 0001 0006 **0050 56c0 0008** 0000 0800
0x0010: 4548 0034 837c 0000 4006 ae77 ac10 f801
0x0020: ac10 f865 f481 07e4 55d8 41fc 6751 69a6
0x0030: 8010 07bf bdd9 0000 0101 080a 21e2 8fc5
0x0040: 07d8 49ea
23:26:49.171185 Out 00:0c:29:cb:e2:ab ethertype IPv4 (0x0800), length 4200: 172.16.248.101.2020 > 172.16.248.1.62593: Flags [P.], seq 14732048:14736180, ack 10297, win 380, options [nop,nop,TS val 131615212 ecr 568496070], length 4132

0x0000: 0004 0001 0006 **000c 29cb e2ab** 0000 0800
0x0010: 4512 1058 d695 4000 4006 0b70 ac10 f865
0x0020: ac10 f801 07e4 f481 6751 9702 55d8 41fc
0x0030: 8018 017c 58d3 0000 0101 080a 07d8 49ec
0x0040: 21e2 8fc6 e771 c1f5 87f2 15e9 9b2a c2cd
0x0050: dfce 5048 7123 1656 3fea eda7 ca39 d65c
0x0060: 3a6c b571 d6c2 5fad d39e 1605 4df6 946f
0x0070: 5657 7ef3 b85b dd66 48a7 bcd7 3567 a54f









share|improve this question





























    1















    My OS version:CentOS Linux release 7.5.1804 (Core)



    My tcpdump version:



    tcpdump: option requires an argument -- 'V'
    tcpdump version 4.9.2
    libpcap version 1.5.3
    OpenSSL 1.0.2k-fips
    26 Jan 2017


    When command is tcpdump -i any -e -nn, the output is like this:



    15:55:07.876878  **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
    15:55:07.876939 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
    15:55:15.878019 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
    15:55:15.878083 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0


    We can see that the output contains only "in" or "out" mac address, not both.



    Howerver, in macOS, my tcpdump version is :



    tcpdump: option requires an argument -- V
    tcpdump version tcpdump version 4.9.2 -- Apple version 83.200.2
    libpcap version 1.8.1 -- Apple version 79.200.4
    LibreSSL 2.2.7


    the output is like this:



    13:58:58.699758 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383603998 ecr 0,sackOK,eol], length 0
    13:58:59.703124 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383604999 ecr 0,sackOK,eol], length 0
    13:59:00.709878 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383605999 ecr 0,sackOK,eol], length 0


    We can see that the output contains both "in" and "out" mac address.



    So, my question is, how can I make tcpdump in Centos display mac address like my macOS?, ie, display both "in" and "out" mac address.





    (Added for OP since he doesn't have reputation, I think)



    An example of the hex output is:



    23:26:49.169360 In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 68: 172.16.248.1.62593 > 172.16.248.101.2020: Flags [.], ack 14720436, win 1983, options [nop,nop,TS val 568496069 ecr 131615210], length 0

    0x0000: 0000 0001 0006 **0050 56c0 0008** 0000 0800
    0x0010: 4548 0034 837c 0000 4006 ae77 ac10 f801
    0x0020: ac10 f865 f481 07e4 55d8 41fc 6751 69a6
    0x0030: 8010 07bf bdd9 0000 0101 080a 21e2 8fc5
    0x0040: 07d8 49ea
    23:26:49.171185 Out 00:0c:29:cb:e2:ab ethertype IPv4 (0x0800), length 4200: 172.16.248.101.2020 > 172.16.248.1.62593: Flags [P.], seq 14732048:14736180, ack 10297, win 380, options [nop,nop,TS val 131615212 ecr 568496070], length 4132

    0x0000: 0004 0001 0006 **000c 29cb e2ab** 0000 0800
    0x0010: 4512 1058 d695 4000 4006 0b70 ac10 f865
    0x0020: ac10 f801 07e4 f481 6751 9702 55d8 41fc
    0x0030: 8018 017c 58d3 0000 0101 080a 07d8 49ec
    0x0040: 21e2 8fc6 e771 c1f5 87f2 15e9 9b2a c2cd
    0x0050: dfce 5048 7123 1656 3fea eda7 ca39 d65c
    0x0060: 3a6c b571 d6c2 5fad d39e 1605 4df6 946f
    0x0070: 5657 7ef3 b85b dd66 48a7 bcd7 3567 a54f









    share|improve this question



























      1












      1








      1








      My OS version:CentOS Linux release 7.5.1804 (Core)



      My tcpdump version:



      tcpdump: option requires an argument -- 'V'
      tcpdump version 4.9.2
      libpcap version 1.5.3
      OpenSSL 1.0.2k-fips
      26 Jan 2017


      When command is tcpdump -i any -e -nn, the output is like this:



      15:55:07.876878  **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
      15:55:07.876939 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
      15:55:15.878019 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
      15:55:15.878083 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0


      We can see that the output contains only "in" or "out" mac address, not both.



      Howerver, in macOS, my tcpdump version is :



      tcpdump: option requires an argument -- V
      tcpdump version tcpdump version 4.9.2 -- Apple version 83.200.2
      libpcap version 1.8.1 -- Apple version 79.200.4
      LibreSSL 2.2.7


      the output is like this:



      13:58:58.699758 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383603998 ecr 0,sackOK,eol], length 0
      13:58:59.703124 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383604999 ecr 0,sackOK,eol], length 0
      13:59:00.709878 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383605999 ecr 0,sackOK,eol], length 0


      We can see that the output contains both "in" and "out" mac address.



      So, my question is, how can I make tcpdump in Centos display mac address like my macOS?, ie, display both "in" and "out" mac address.





      (Added for OP since he doesn't have reputation, I think)



      An example of the hex output is:



      23:26:49.169360 In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 68: 172.16.248.1.62593 > 172.16.248.101.2020: Flags [.], ack 14720436, win 1983, options [nop,nop,TS val 568496069 ecr 131615210], length 0

      0x0000: 0000 0001 0006 **0050 56c0 0008** 0000 0800
      0x0010: 4548 0034 837c 0000 4006 ae77 ac10 f801
      0x0020: ac10 f865 f481 07e4 55d8 41fc 6751 69a6
      0x0030: 8010 07bf bdd9 0000 0101 080a 21e2 8fc5
      0x0040: 07d8 49ea
      23:26:49.171185 Out 00:0c:29:cb:e2:ab ethertype IPv4 (0x0800), length 4200: 172.16.248.101.2020 > 172.16.248.1.62593: Flags [P.], seq 14732048:14736180, ack 10297, win 380, options [nop,nop,TS val 131615212 ecr 568496070], length 4132

      0x0000: 0004 0001 0006 **000c 29cb e2ab** 0000 0800
      0x0010: 4512 1058 d695 4000 4006 0b70 ac10 f865
      0x0020: ac10 f801 07e4 f481 6751 9702 55d8 41fc
      0x0030: 8018 017c 58d3 0000 0101 080a 07d8 49ec
      0x0040: 21e2 8fc6 e771 c1f5 87f2 15e9 9b2a c2cd
      0x0050: dfce 5048 7123 1656 3fea eda7 ca39 d65c
      0x0060: 3a6c b571 d6c2 5fad d39e 1605 4df6 946f
      0x0070: 5657 7ef3 b85b dd66 48a7 bcd7 3567 a54f









      share|improve this question
















      My OS version:CentOS Linux release 7.5.1804 (Core)



      My tcpdump version:



      tcpdump: option requires an argument -- 'V'
      tcpdump version 4.9.2
      libpcap version 1.5.3
      OpenSSL 1.0.2k-fips
      26 Jan 2017


      When command is tcpdump -i any -e -nn, the output is like this:



      15:55:07.876878  **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
      15:55:07.876939 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
      15:55:15.878019 **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
      15:55:15.878083 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0


      We can see that the output contains only "in" or "out" mac address, not both.



      Howerver, in macOS, my tcpdump version is :



      tcpdump: option requires an argument -- V
      tcpdump version tcpdump version 4.9.2 -- Apple version 83.200.2
      libpcap version 1.8.1 -- Apple version 79.200.4
      LibreSSL 2.2.7


      the output is like this:



      13:58:58.699758 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383603998 ecr 0,sackOK,eol], length 0
      13:58:59.703124 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383604999 ecr 0,sackOK,eol], length 0
      13:59:00.709878 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383605999 ecr 0,sackOK,eol], length 0


      We can see that the output contains both "in" and "out" mac address.



      So, my question is, how can I make tcpdump in Centos display mac address like my macOS?, ie, display both "in" and "out" mac address.





      (Added for OP since he doesn't have reputation, I think)



      An example of the hex output is:



      23:26:49.169360 In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 68: 172.16.248.1.62593 > 172.16.248.101.2020: Flags [.], ack 14720436, win 1983, options [nop,nop,TS val 568496069 ecr 131615210], length 0

      0x0000: 0000 0001 0006 **0050 56c0 0008** 0000 0800
      0x0010: 4548 0034 837c 0000 4006 ae77 ac10 f801
      0x0020: ac10 f865 f481 07e4 55d8 41fc 6751 69a6
      0x0030: 8010 07bf bdd9 0000 0101 080a 21e2 8fc5
      0x0040: 07d8 49ea
      23:26:49.171185 Out 00:0c:29:cb:e2:ab ethertype IPv4 (0x0800), length 4200: 172.16.248.101.2020 > 172.16.248.1.62593: Flags [P.], seq 14732048:14736180, ack 10297, win 380, options [nop,nop,TS val 131615212 ecr 568496070], length 4132

      0x0000: 0004 0001 0006 **000c 29cb e2ab** 0000 0800
      0x0010: 4512 1058 d695 4000 4006 0b70 ac10 f865
      0x0020: ac10 f801 07e4 f481 6751 9702 55d8 41fc
      0x0030: 8018 017c 58d3 0000 0101 080a 07d8 49ec
      0x0040: 21e2 8fc6 e771 c1f5 87f2 15e9 9b2a c2cd
      0x0050: dfce 5048 7123 1656 3fea eda7 ca39 d65c
      0x0060: 3a6c b571 d6c2 5fad d39e 1605 4df6 946f
      0x0070: 5657 7ef3 b85b dd66 48a7 bcd7 3567 a54f






      macos centos7 tcpdump






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 25 '18 at 16:36









      David Hoelzer

      11.8k42753




      11.8k42753










      asked Nov 5 '18 at 8:17









      Gary AllenGary Allen

      337




      337
























          3 Answers
          3






          active

          oldest

          votes


















          0














          You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:



           2 byte packet type
          2 byte ARP_HRD type
          2 byte address length


          You can read more about this format here.



          The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.






          share|improve this answer
























          • Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?

            – Gary Allen
            Nov 27 '18 at 17:49











          • That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something like mergecap

            – David Hoelzer
            Nov 27 '18 at 21:12











          • The link-layer address field contains the link-layer address of the sender of the packet. Thus I think tcpdump shows the source header only in LINUX_SLL mode.

            – Sourav Ghosh
            Jan 31 at 20:03





















          0














          You might try using the -xx or the -XX options.



          Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.



          While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.



          Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.






          share|improve this answer
























          • -xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.

            – Gary Allen
            Nov 20 '18 at 8:24











          • Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.

            – David Hoelzer
            Nov 20 '18 at 13:45











          • I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.

            – Gary Allen
            Nov 24 '18 at 14:50











          • Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.

            – David Hoelzer
            Nov 24 '18 at 16:38











          • Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.

            – Gary Allen
            Nov 25 '18 at 15:36



















          0














          After some searches, https://wiki.wireshark.org/SLL, this article explains it.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53150610%2ftcpdump-only-display-in-or-out-mac-address-how-to-display-both%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:



             2 byte packet type
            2 byte ARP_HRD type
            2 byte address length


            You can read more about this format here.



            The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.






            share|improve this answer
























            • Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?

              – Gary Allen
              Nov 27 '18 at 17:49











            • That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something like mergecap

              – David Hoelzer
              Nov 27 '18 at 21:12











            • The link-layer address field contains the link-layer address of the sender of the packet. Thus I think tcpdump shows the source header only in LINUX_SLL mode.

              – Sourav Ghosh
              Jan 31 at 20:03


















            0














            You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:



             2 byte packet type
            2 byte ARP_HRD type
            2 byte address length


            You can read more about this format here.



            The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.






            share|improve this answer
























            • Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?

              – Gary Allen
              Nov 27 '18 at 17:49











            • That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something like mergecap

              – David Hoelzer
              Nov 27 '18 at 21:12











            • The link-layer address field contains the link-layer address of the sender of the packet. Thus I think tcpdump shows the source header only in LINUX_SLL mode.

              – Sourav Ghosh
              Jan 31 at 20:03
















            0












            0








            0







            You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:



             2 byte packet type
            2 byte ARP_HRD type
            2 byte address length


            You can read more about this format here.



            The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.






            share|improve this answer













            You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:



             2 byte packet type
            2 byte ARP_HRD type
            2 byte address length


            You can read more about this format here.



            The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 25 '18 at 16:33









            David HoelzerDavid Hoelzer

            11.8k42753




            11.8k42753













            • Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?

              – Gary Allen
              Nov 27 '18 at 17:49











            • That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something like mergecap

              – David Hoelzer
              Nov 27 '18 at 21:12











            • The link-layer address field contains the link-layer address of the sender of the packet. Thus I think tcpdump shows the source header only in LINUX_SLL mode.

              – Sourav Ghosh
              Jan 31 at 20:03





















            • Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?

              – Gary Allen
              Nov 27 '18 at 17:49











            • That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something like mergecap

              – David Hoelzer
              Nov 27 '18 at 21:12











            • The link-layer address field contains the link-layer address of the sender of the packet. Thus I think tcpdump shows the source header only in LINUX_SLL mode.

              – Sourav Ghosh
              Jan 31 at 20:03



















            Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?

            – Gary Allen
            Nov 27 '18 at 17:49





            Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces?

            – Gary Allen
            Nov 27 '18 at 17:49













            That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something like mergecap

            – David Hoelzer
            Nov 27 '18 at 21:12





            That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something like mergecap

            – David Hoelzer
            Nov 27 '18 at 21:12













            The link-layer address field contains the link-layer address of the sender of the packet. Thus I think tcpdump shows the source header only in LINUX_SLL mode.

            – Sourav Ghosh
            Jan 31 at 20:03







            The link-layer address field contains the link-layer address of the sender of the packet. Thus I think tcpdump shows the source header only in LINUX_SLL mode.

            – Sourav Ghosh
            Jan 31 at 20:03















            0














            You might try using the -xx or the -XX options.



            Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.



            While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.



            Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.






            share|improve this answer
























            • -xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.

              – Gary Allen
              Nov 20 '18 at 8:24











            • Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.

              – David Hoelzer
              Nov 20 '18 at 13:45











            • I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.

              – Gary Allen
              Nov 24 '18 at 14:50











            • Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.

              – David Hoelzer
              Nov 24 '18 at 16:38











            • Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.

              – Gary Allen
              Nov 25 '18 at 15:36
















            0














            You might try using the -xx or the -XX options.



            Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.



            While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.



            Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.






            share|improve this answer
























            • -xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.

              – Gary Allen
              Nov 20 '18 at 8:24











            • Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.

              – David Hoelzer
              Nov 20 '18 at 13:45











            • I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.

              – Gary Allen
              Nov 24 '18 at 14:50











            • Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.

              – David Hoelzer
              Nov 24 '18 at 16:38











            • Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.

              – Gary Allen
              Nov 25 '18 at 15:36














            0












            0








            0







            You might try using the -xx or the -XX options.



            Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.



            While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.



            Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.






            share|improve this answer













            You might try using the -xx or the -XX options.



            Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.



            While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.



            Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 8 '18 at 0:57









            David HoelzerDavid Hoelzer

            11.8k42753




            11.8k42753













            • -xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.

              – Gary Allen
              Nov 20 '18 at 8:24











            • Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.

              – David Hoelzer
              Nov 20 '18 at 13:45











            • I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.

              – Gary Allen
              Nov 24 '18 at 14:50











            • Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.

              – David Hoelzer
              Nov 24 '18 at 16:38











            • Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.

              – Gary Allen
              Nov 25 '18 at 15:36



















            • -xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.

              – Gary Allen
              Nov 20 '18 at 8:24











            • Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.

              – David Hoelzer
              Nov 20 '18 at 13:45











            • I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.

              – Gary Allen
              Nov 24 '18 at 14:50











            • Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.

              – David Hoelzer
              Nov 24 '18 at 16:38











            • Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.

              – Gary Allen
              Nov 25 '18 at 15:36

















            -xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.

            – Gary Allen
            Nov 20 '18 at 8:24





            -xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem.

            – Gary Allen
            Nov 20 '18 at 8:24













            Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.

            – David Hoelzer
            Nov 20 '18 at 13:45





            Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses.

            – David Hoelzer
            Nov 20 '18 at 13:45













            I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.

            – Gary Allen
            Nov 24 '18 at 14:50





            I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses.

            – Gary Allen
            Nov 24 '18 at 14:50













            Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.

            – David Hoelzer
            Nov 24 '18 at 16:38





            Are you saying that the ethernet frame has only one MAC on CentOS? That cannot be true.

            – David Hoelzer
            Nov 24 '18 at 16:38













            Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.

            – Gary Allen
            Nov 25 '18 at 15:36





            Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address.

            – Gary Allen
            Nov 25 '18 at 15:36











            0














            After some searches, https://wiki.wireshark.org/SLL, this article explains it.






            share|improve this answer




























              0














              After some searches, https://wiki.wireshark.org/SLL, this article explains it.






              share|improve this answer


























                0












                0








                0







                After some searches, https://wiki.wireshark.org/SLL, this article explains it.






                share|improve this answer













                After some searches, https://wiki.wireshark.org/SLL, this article explains it.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 27 '18 at 17:56









                Gary AllenGary Allen

                337




                337






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53150610%2ftcpdump-only-display-in-or-out-mac-address-how-to-display-both%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    404 Error Contact Form 7 ajax form submitting

                    How to know if a Active Directory user can login interactively

                    Refactoring coordinates for Minecraft Pi buildings written in Python