11

I have a network problem where frames with a source MAC which matches with one of my host's source MACs are arriving at the host - an apparent duplicate MAC, or loop, or other L2 problem.

I believe this is the situation because the MAC tables (CAM tables) of my linux bridge register a local MAC (for a hosted virtual machine ) as being on the upstream port, and the kernel logs show errors:

bridgename: received packet on bond0.2222 with own address as source address

I'd like to get more details about these "rogue" packets / frames, but I can't figure out how to zero in on them. With tcpdump you can filter on a particular source MAC ( 'ether src MAC' ), but this is based on the bytes in the frame - not whether the frame was "sent out" versus "received in". We usually assume a frame with our source MAC means we're sending it out, but if a duplicate frame were received, the contents would look exactly the same to the filter.

How can one observe whether a frame was received versus transmitted in a packet capture?

PersianGulf
  • 666
  • 8
  • 23
Joshua Miller
  • 1,408

2 Answers2

11

Use --direction option to tcpdump:

-Q direction
--direction=direction
       Choose send/receive direction direction for which packets should be
       captured. Possible values are `in', `out' and `inout'. Not available on
       all platforms.
abacabadabacaba
  • 339
0

With iptables, you have different 'chains' for incoming and outgoing packets. From the iptables(8) man page:

... the chains INPUT and OUTPUT are only traversed for packets coming into 
the local host and originating from the local host  respectively.   Hence 
every  packet  only  passes  through one of the three chains (except 
loopback traffic, which involves both INPUT and OUTPUT chains) ...

iptables can do some logging (-l), which might show you what you need. It can presumably also forward copies of packets to an interface for logging with other tools, but I haven't had reason to do that.

mc0e
  • 5,979