cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

What is 'IN' and 'OUT' of g_tcpdump?

Hey everyone,

I was asked to capture some packets:

g_tcpdump -enni any host 1.1.1.1 and 2.2.2.2

[1_04]10:33:23.330521  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331136 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331141 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331142 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.376815  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_04]10:33:23.376841 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376140  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376233 Out aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376253 Out aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_04]10:33:23.376842 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>

What exactly does 'IN' and 'OUT' mean?

I first suggested that it has something to do with an Interface, but then I saw that every combination between MAC and IN/OUT exists. Furthermore, no interface is displayed

Do you have any idea?

My internet search didn't work with IN/OUT

Best regards,

Maurice

5 Replies

Re: What is 'IN' and 'OUT' of g_tcpdump?

Hi Maurice, 

the output shows you the same packet twice, inbound and outbound directions, which are marked accordingly: IN and OUT

0 Kudos

Re: What is 'IN' and 'OUT' of g_tcpdump?

Hi Valeri,

thank you for your answer.

As a result, the sum of IN and OUT should be the same? But this is not the case.

0 Kudos

Re: What is 'IN' and 'OUT' of g_tcpdump?

What do you mean, "the sum"

Here for example it is a single packet being forwarded: 

[1_04]10:33:23.330521  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7> 
[1_04]10:33:23.331136 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7> 

If, however, packets are being dropped, you will see IN but not OUT. If there is NAT performed, packets will look differently on IN and OUT.

This is all normal. I am not sure what you are trying to achive with this command, but if you are interested in troubleshooting FW operations, fw monitor is advised, tcpdump is a bit less informative.

0 Kudos
Employee+
Employee+

Re: What is 'IN' and 'OUT' of g_tcpdump?

g_tcpdump can indeed be a little confusing since it shows the packet from all SGMs and the same packet can be seen several times especially if there is correction.

Better way to use tcpdump in scalable platforms is to find the traffic flow by using asg search and then taking tcpdump locally on the SGM shown by asg search.

0 Kudos
Employee
Employee

Re: What is 'IN' and 'OUT' of g_tcpdump?

Hi Maurice, 

IN/OUT is showing direction of the packet for current interface. You can see the packet few time because it passes few virtual interfaces. Please add "-P" flag to g_tcpdump to see interface name in the output: "g_tcpdump -Penni any host 1.1.1.1"