topic Re: What is 'IN' and 'OUT' of g_tcpdump? in Hyperscale Firewall (Maestro)

What is 'IN' and 'OUT' of g_tcpdump?

morris — Fri, 17 Aug 2018 06:41:33 GMT

Hey everyone,

I was asked to capture some packets:

g_tcpdump -enni any host 1.1.1.1 and 2.2.2.2

[1_04]10:33:23.330521 In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331136 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331141 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331142 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.376815 In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_04]10:33:23.376841 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376140 In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376233 Out aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376253 Out aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_04]10:33:23.376842 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>

What exactly does 'IN' and 'OUT' mean?

I first suggested that it has something to do with an Interface, but then I saw that every combination between MAC and IN/OUT exists. Furthermore, no interface is displayed

Do you have any idea?

My internet search didn't work with IN/OUT

Best regards,

Maurice

Re: What is 'IN' and 'OUT' of g_tcpdump?

_Val_ — Fri, 17 Aug 2018 08:14:35 GMT

Hi Maurice,

the output shows you the same packet twice, inbound and outbound directions, which are marked accordingly: IN and OUT

Re: What is 'IN' and 'OUT' of g_tcpdump?

morris — Fri, 17 Aug 2018 08:32:38 GMT

Hi Valeri,

thank you for your answer.

As a result, the sum of IN and OUT should be the same? But this is not the case.

Re: What is 'IN' and 'OUT' of g_tcpdump?

_Val_ — Fri, 17 Aug 2018 10:14:26 GMT

What do you mean, "the sum"

Here for example it is a single packet being forwarded:

[1_04]10:33:23.330521 In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331136 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>

If, however, packets are being dropped, you will see IN but not OUT. If there is NAT performed, packets will look differently on IN and OUT.

This is all normal. I am not sure what you are trying to achive with this command, but if you are interested in troubleshooting FW operations, fw monitor is advised, tcpdump is a bit less informative.

Re: What is 'IN' and 'OUT' of g_tcpdump?

Lari_Luoma — Thu, 23 Aug 2018 02:09:45 GMT

g_tcpdump can indeed be a little confusing since it shows the packet from all SGMs and the same packet can be seen several times especially if there is correction.

Better way to use tcpdump in scalable platforms is to find the traffic flow by using asg search and then taking tcpdump locally on the SGM shown by asg search.

Re: What is 'IN' and 'OUT' of g_tcpdump?

AndyY — Thu, 27 Sep 2018 21:17:43 GMT

Hi Maurice,

IN/OUT is showing direction of the packet for current interface. You can see the packet few time because it passes few virtual interfaces. Please add "-P" flag to g_tcpdump to see interface name in the output: "g_tcpdump -Penni any host 1.1.1.1"