Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
morris
Contributor

What is 'IN' and 'OUT' of g_tcpdump?

Hey everyone,

I was asked to capture some packets:

g_tcpdump -enni any host 1.1.1.1 and 2.2.2.2

[1_04]10:33:23.330521  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331136 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331141 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.331142 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7>
[1_04]10:33:23.376815  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_04]10:33:23.376841 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376140  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376233 Out aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_03]10:33:23.376253 Out aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>
[1_04]10:33:23.376842 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 1.1.1.1.25 > 2.2.2.2.42814: S 316929424:316929424(0) ack 2726345067 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 3937627326 1052353694>

What exactly does 'IN' and 'OUT' mean?

I first suggested that it has something to do with an Interface, but then I saw that every combination between MAC and IN/OUT exists. Furthermore, no interface is displayed

Do you have any idea?

My internet search didn't work with IN/OUT

Best regards,

Maurice

5 Replies
_Val_
Admin
Admin

Hi Maurice, 

the output shows you the same packet twice, inbound and outbound directions, which are marked accordingly: IN and OUT

0 Kudos
morris
Contributor

Hi Valeri,

thank you for your answer.

As a result, the sum of IN and OUT should be the same? But this is not the case.

0 Kudos
_Val_
Admin
Admin

What do you mean, "the sum"

Here for example it is a single packet being forwarded: 

[1_04]10:33:23.330521  In aa:aa:aa:aa:aa:aa ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7> 
[1_04]10:33:23.331136 Out bb:bb:bb:bb:bb:bb ethertype IPv4 (0x0800), length 76: 2.2.2.2.42814 > 1.1.1.1.25: S 2726345066:2726345066(0) win 29200 <mss 1376,sackOK,timestamp 1052353694 0,nop,wscale 7> 

If, however, packets are being dropped, you will see IN but not OUT. If there is NAT performed, packets will look differently on IN and OUT.

This is all normal. I am not sure what you are trying to achive with this command, but if you are interested in troubleshooting FW operations, fw monitor is advised, tcpdump is a bit less informative.

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

g_tcpdump can indeed be a little confusing since it shows the packet from all SGMs and the same packet can be seen several times especially if there is correction.

Better way to use tcpdump in scalable platforms is to find the traffic flow by using asg search and then taking tcpdump locally on the SGM shown by asg search.

0 Kudos
AndyY
Employee
Employee

Hi Maurice, 

IN/OUT is showing direction of the packet for current interface. You can see the packet few time because it passes few virtual interfaces. Please add "-P" flag to g_tcpdump to see interface name in the output: "g_tcpdump -Penni any host 1.1.1.1"