5

My OS version:CentOS Linux release 7.5.1804 (Core)

My tcpdump version: 

tcpdump: option requires an argument -- 'V'
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips  
26 Jan 2017

When command is tcpdump -i any -e -nn, the output is like this:

15:55:07.876878  **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:07.876939 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386448815 ecr 0,sackOK,eol], length 0
15:55:15.878019  **In 00:50:56:c0:00:08** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0
15:55:15.878083 **Out 00:50:56:28:6d:20** ethertype IPv4 (0x0800), length 80: 172.16.248.1.61944 > 172.16.248.101.80: Flags [S], seq 448335523, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 386456815 ecr 0,sackOK,eol], length 0

We can see that the output contains only "in" or "out" mac address, not both.

Howerver, in macOS, my tcpdump version is :

tcpdump: option requires an argument -- V
tcpdump version tcpdump version 4.9.2 -- Apple version 83.200.2
libpcap version 1.8.1 -- Apple version 79.200.4
LibreSSL 2.2.7

the output is like this:

13:58:58.699758 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383603998 ecr 0,sackOK,eol], length 0
13:58:59.703124 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383604999 ecr 0,sackOK,eol], length 0
13:59:00.709878 **00:50:56:c0:00:08 > 00:0c:29:cb:e2:ab**, ethertype IPv4 (0x0800), length 78: 172.16.248.1.61179 > 172.16.248.101.80: Flags [S], seq 1223964422, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 383605999 ecr 0,sackOK,eol], length 0

We can see that the output contains both "in" and "out" mac address.

So, my question is, how can I make tcpdump in Centos display mac address like my macOS?, ie, display both "in" and "out" mac address.

(Added for OP since he doesn't have reputation, I think)

An example of the hex output is:

23:26:49.169360 In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 68: 172.16.248.1.62593 > 172.16.248.101.2020: Flags [.], ack 14720436, win 1983, options [nop,nop,TS val 568496069 ecr 131615210], length 0

0x0000:  0000 0001 0006 **0050 56c0 0008** 0000 0800
0x0010:  4548 0034 837c 0000 4006 ae77 ac10 f801
0x0020:  ac10 f865 f481 07e4 55d8 41fc 6751 69a6
0x0030:  8010 07bf bdd9 0000 0101 080a 21e2 8fc5
0x0040:  07d8 49ea
23:26:49.171185 Out 00:0c:29:cb:e2:ab ethertype IPv4 (0x0800), length 4200: 172.16.248.101.2020 > 172.16.248.1.62593: Flags [P.], seq 14732048:14736180, ack 10297, win 380, options [nop,nop,TS val 131615212 ecr 568496070], length 4132

0x0000:  0004 0001 0006 **000c 29cb e2ab** 0000 0800
0x0010:  4512 1058 d695 4000 4006 0b70 ac10 f865
0x0020:  ac10 f801 07e4 f481 6751 9702 55d8 41fc
0x0030:  8018 017c 58d3 0000 0101 080a 07d8 49ec
0x0040:  21e2 8fc6 e771 c1f5 87f2 15e9 9b2a c2cd
0x0050:  dfce 5048 7123 1656 3fea eda7 ca39 d65c
0x0060:  3a6c b571 d6c2 5fad d39e 1605 4df6 946f
0x0070:  5657 7ef3 b85b dd66 48a7 bcd7 3567 a54f
David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
Gary Allen
  • 385
  • 1
  • 3
  • 11

2 Answers2

7

You seem to be configured to use tcpdump in LINUX_SLL or Cooked mode. This has an entirely different frame header and will only show you the destination MAC since the source is being used to hold a:

 2 byte packet type
 2 byte ARP_HRD type
 2 byte address length

You can read more about this format here.

The easiest way to resolve this and see both MAC addresses is to actually select an interface using -i rather than relying on the any option, which will always be cooked.

David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
  • Thank you so much, David. it really solved my problem. However, if I don't use the "-i any" option, how can I capture the traffic of all interfaces? – Gary Allen Nov 27 '18 at 17:49
  • That's a great topic for another question. :) I'd suggest that you look into the interface bonding options in Linux that allow you to treat multiple interfaces as a single interface. Alternatively, you would need to run tcpdump on every interface independently. You can interleave that data later using something like `mergecap` – David Hoelzer Nov 27 '18 at 21:12
  • 1
    [The link-layer address field contains the link-layer address of the sender of the packet](https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html). Thus I think `tcpdump` shows the source header only in `LINUX_SLL` mode. – Sourav Ghosh Jan 31 '19 at 20:03
  • 1
    I can confirm that in my case `tcpdump -nnei any` shows the source MAC address both for outgoing and incoming frame directions. (Ubuntu 22.04) --- @DavidHoelzer can you fix your answer, please? – pabouk - Ukraine stay strong Nov 13 '22 at 12:41
  • @pabouk-Ukrainestaystrong it does not sound as though you have the very specific configuration that the OP did. The answer is correct in the case of using TCPDump to view cooked sockets. – David Hoelzer Nov 13 '22 at 14:57
1

You might try using the -xx or the -XX options.

Since tcpdump was originally created specifically for looking at the network layer and above (IP and above... TCP, UDP, ICMP), its default behavior is, naturally, to decode and display only these layers.

While the -e option will add link layer information, especially if you have some of the more Ethernet variants, you may not see everything that you are looking for. If you use the -xx or -XX options, these will display the raw bytes from the frame beginning from the start of the frame header, rather than beginning the display from the start of the network layer header.

Using these options, you can decode the frame header yourself, manually, with nothing hidden from view.

David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
  • -xx or -XX options just display the output in hexadecimal format, it doesn't solve my problem. – Gary Allen Nov 20 '18 at 08:24
  • Actually, it does. You wanted to see both MAC addresses. This shows you the raw ethernet frame, which contains both MAC addresses. – David Hoelzer Nov 20 '18 at 13:45
  • I compared the hexadecimal outputs from CentOS and macOS, they are different. the CentOS hexadecimal output contains only one mac address, while the macOS output contain two mac addresses. – Gary Allen Nov 24 '18 at 14:50
  • Are you saying that the ethernet frame has only one MAC on CentOS? That *cannot* be true. – David Hoelzer Nov 24 '18 at 16:38
  • Because the output is too long, I have pasted the output in a new answer. You can see from the output, it indeed contains only one mac address. – Gary Allen Nov 25 '18 at 15:36