Packet Capture: received vs. sent
-
When using Packet Capture, is there a way to distinguish packets received on the interface vs. packets sent?
I am aware that in some situations this can be readily deduced from addresses in the packets. I have an SG3100 configured as a filtering bridge (works for us). In this configuration it would be handy sometimes to clearly see received vs sent packets.
Thanks,
K
-
@kj32 said in Packet Capture: received vs. sent:
I am aware that in some situations this can be readily deduced from addresses in the packets.
No some, but all.
Ethernet packets always have a source and destination IP address.
And if they aren't there, as for example ARP doesn't use IP as it is used get get IP info, the local MAC addresses are used. And these are unique on every network. You should know them ?!So, if you know the devices on your network, you know the direction of the packets.
What's left is the special stuff, like when an IP = 0.0.0.0 is used, as these are broadcast packets.
-
@kj32 said in Packet Capture: received vs. sent:
When using Packet Capture, is there a way to distinguish packets received on the interface vs. packets sent?
Filter on the MAC address. Everything leaving should have the same MAC. The filter can either select or reject that MAC.
-
Er, no. That's not how bridges work. Bridges preserve the mac address of the previous sender.
Regards,
K
-
You can still see the source and destination MACs so if you know where those are you can see which way across the bridge the packet is moving.
If you run
ifconfig bridge0 addryou can see the MAC addresses learned by the bridge and which interface they are on. -
Thanks, I did not know about that.
-
OK, I take it that the answer to my question is 'no'. That's fine. The technique suggested by stephenw10 certainly allows me to confirm which port on the bridge is connected where. Or, I can go on-site and verify which bridge port is connected at which end. (The bridge is deliberately configured so that the ports are symmetric, and it will work if the upstream cable and downstream cable are swapped.)
I stand by this assertion, however: "In this configuration it would be handy sometimes to clearly see received vs sent packets." Not essential, there are obviously work-arounds. But handy.
-
Sorry, I missed the bridge part.
-
A bridge interface is tricky because there is no sent/received really. Every packet crosses it. Unless the interface is assigned in which case pfSense can send/receive from it and will use the generate bridge MAC.
