This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
morris
Contributor
‎2018-08-16 11:41 PM

What is 'IN' and 'OUT' of g_tcpdump?

Hey everyone,

I was asked to capture some packets:

g_tcpdump -enni any host 1.1.1.1 and 2.2.2.2

[1_04]10:33:23.330521  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331136 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331141 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331142 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.376815  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_04]10:33:23.376841 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376140  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376233 Out aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376253 Out aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_04]10:33:23.376842 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>

What exactly does 'IN' and 'OUT' mean?

I first suggested that it has something to do with an Interface, but then I saw that every combination between MAC and IN/OUT exists. Furthermore, no interface is displayed

Do you have any idea?

My internet search didn't work with IN/OUT

Best regards,

Maurice

5 Replies
_Val_
Admin
Admin
‎2018-08-17 01:14 AM

Hi Maurice, 

the output shows you the same packet twice, inbound and outbound directions, which are marked accordingly: IN and OUT

0 Kudos
morris
Contributor
‎2018-08-17 01:32 AM

Hi Valeri,

thank you for your answer.

As a result, the sum of IN and OUT should be the same? But this is not the case.

0 Kudos
_Val_
Admin
Admin
‎2018-08-17 03:14 AM
In response to morris

What do you mean, "the sum"

Here for example it is a single packet being forwarded: 

[1_04]10:33:23.330521  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7> 
[1_04]10:33:23.331136 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7> 

If, however, packets are being dropped, you will see IN but not OUT. If there is NAT performed, packets will look differently on IN and OUT.

This is all normal. I am not sure what you are trying to achive with this command, but if you are interested in troubleshooting FW operations, fw monitor is advised, tcpdump is a bit less informative.

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2018-08-22 07:09 PM

g_tcpdump can indeed be a little confusing since it shows the packet from all SGMs and the same packet can be seen several times especially if there is correction.

Better way to use tcpdump in scalable platforms is to find the traffic flow by using asg search and then taking tcpdump locally on the SGM shown by asg search.

0 Kudos
AndyY
Employee
Employee
‎2018-09-27 02:17 PM

Hi Maurice, 

IN/OUT is showing direction of the packet for current interface. You can see the packet few time because it passes few virtual interfaces. Please add "-P" flag to g_tcpdump to see interface name in the output: "g_tcpdump -Penni any host 1.1.1.1"

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events