tcpdump filter by/print last hop

Question

If I have a network that looks like this:

           56.56.56.56 192.168.0.1/24
                  ___________     
               ---| Modem 1 |-----
               |  ___________    |        ___________
11.22.33.44 ---|                 |--------| Machine |
               |  ___________    |        ___________
               ---| Modem 2 |-----        192.168.0.3/24
                  ___________     
           67.67.67.67 192.168.0.2/24

...where both modem 1 and modem 2 forward the ssh port to 192.168.0.3.

When I call tcpdump port ssh on the machine at 192.168.0.3 and then ssh in from 11.22.33.44 to 56.56.56.56, the output looks something like this:

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:51:16.147870 IP 11.22.33.44.55936 > 192.168.0.3.ssh: Flags [S], seq 642687408, win 14600, options [mss 1460,sackOK,TS val 1631250991 ecr 0,nop,wscale 7], length 0
16:51:16.147957 IP 192.168.0.3.ssh > 11.22.33.44.55936: Flags [S.], seq 55101726, ack 642687409, win 28960, options [mss 1460,sackOK,TS val 1829635753 ecr 1631250991,nop,wscale 7], length 0
16:51:17.147444 IP 11.22.33.44.55936 > 192.168.0.3.ssh: Flags [S], seq 642687408, win 14600, options [mss 1460,sackOK,TS val 1631251992 ecr 0,nop,wscale 7], length 0

As you can see, tcpdump appears only to give me the origin ip as the "source" ip and the "final" ip as the destination.

What command is needed to tell tcpdump to print or filter by:

the last hop (e.g. 192.168.0.1 or 192.168.0.2 in the diagram)
the "public" ip (e.g. 56.56.56.56 or 67.67.67.67 in the diagram)
the next hop (e.g. the modem used for packets going out instead of coming in)

Anton Danilov · Answer 1 · 2019-06-22T08:20:01.390

2

Tcpdump captures only packets itself and doesn't have additional information about routes/external original address/etc.

There isn't explicit ip address of last hop in a packet, but you can use ethernet source address to determine it indirectly. You need use additional -e command line option of the tcpdump to show ethernet header of frames.
It's impossible to show original public ip on which the packet has arrived, because this information is missing in the packet and stored only in the translation table in your modem boxes.
It's also impossible. Tcpdump doesn't lookup the routes of original packets and, obviously, doesn't lookup the routes for replied packets.

edited Jun 22 '19 at 08:20

answered Jun 21 '19 at 07:56

Anton Danilov

5,082
2
13
23

How would I go about doing (1)? Where is the "ethernet source address" for a packet? – tudor -Reinstate Monica- Jun 22 '19 at 01:52
Add `-e` option to command line of the `tcpdump` to show ethernet header of frames. – Anton Danilov Jun 22 '19 at 08:18
Actually, (3) is **not impossible**. It's the same answer as (1). `-e` appears to list destination MAC also for outgoing packets. – tudor -Reinstate Monica- Jun 24 '19 at 01:40

score 0 · Accepted Answer · answered Jul 01 '19 at 06:57

According to the tcpdump expressions whose syntax is BPF:

tcpdump ether host 11:22:33:44:55:66

dumps all packets to or from that MAC address

This answers (1) and (3).

As far as (2) is concerned, the source IP changes after the NAT so you'd have to have a machine outside the NAT to witness that IP.

tcpdump filter by/print last hop

2 Answers2