tcpdump mailing list archives

Display of packet direction and interface name

From: Paul LeoNerd Evans <leonerd () leonerd org uk>
Date: Sat, 10 Apr 2010 23:43:45 +0100

I often require packet tracing tools, to help debug complex
routing/NATting setups on machines with many interfaces; both physical
and virtual (due to VLANs, VPNs, PPP links, etc...). It's vital to know
exactly which interface a packet is received on or sent from, to debug
these issues.

I've had a good look around both the tcpdump docs, and the underlying
libpcap docs, and have failed to find any way to make tcpdump on Linux
do this. The closest I got was observing that the information Linux
passes up in the  struct sockaddr_ll  address gets thrown away by both
the EN10MB and LINUX_SLL datalink types.

To assist in my networking debugging, I have instead written a new
application based directly on PF_PACKET, working around this limitation.
Compare outputs below to observe the usefulness in this situation, of
having such information; it shows a packet received over a PPPoE link
and routed out over regular ethernet; and its corresponding reply.

 RX(extern): PPPoE| TCP| server.outside:imaps->client.inside:56368: ACK PSH
 RX(ppp0): TCP| server.outside:imaps->client.inside:56368: ACK PSH
 TX(wired): TCP| server.outside:imaps->client.inside:56368: ACK PSH
 RX(wired): TCP| client.inside:56368->server.outside:imaps: ACK
 TX(ppp0): TCP| client.inside:56368->server.outside:imaps: ACK
 TX(extern): PPPoE| TCP| client.inside:56368->server.outside:imaps: ACK

vs

 PPPoE  [ses 0x1b66] IP server.outside.imaps > client.inside.56368: P 1970551533:1970551586(53) ack 1526886263 win 54 
<nop,nop,timestamp 1758731416 260501035>
 IP server.outside.imaps > client.inside.56368: P 0:53(53) ack 1 win 54 <nop,nop,timestamp 1758731416 260501035>
 IP server.outside.imaps > client.inside.56368: P 0:53(53) ack 1 win 54 <nop,nop,timestamp 1758731416 260501035>
 IP client.inside.56368 > server.outside.imaps: . ack 53 win 865 <nop,nop,timestamp 260531043 1758731416>
 IP client.inside.56368 > server.outside.imaps: . ack 53 win 865 <nop,nop,timestamp 260531043 1758731416>

 ((at this point tcpdump failed to observe the outbound PPPoE packet but
   I'm not sure why...))

Ignoring for a moment the differences in output style, I hope it's
immediately obvious the usefulness of being able to see a packet RX'ed
in ppp0 which is then TX'ed on wired.

It would be really useful if libpcap were to provide, perhaps via a new
datalink type, this information, to enable tcpdump or other applications
to display it.

Is there any way I can assist in making this happen?

-- 
Paul "LeoNerd" Evans

leonerd () leonerd org uk
ICQ# 4135350       |  Registered Linux# 179460
http://www.leonerd.org.uk/

Attachment: signature.asc
Description: Digital signature

Current thread:

Display of packet direction and interface name Paul LeoNerd Evans (Apr 10)
- Re: Display of packet direction and interface name Richard Hartmann (Apr 10)
- Re: Display of packet direction and interface name Darren Reed (Apr 12)
  - Re: Display of packet direction and interface Paul LeoNerd Evans (Apr 13)