A growing realization about tcpdump and reading IP traffic

November 19, 2008

Here is a gotcha about reading tcpdump output that recent events have been tattooing on my forehead:

The only sure way to tell whether a packet is going to your gateway or to something on the local network is to look at the destination Ethernet address.

To put it another way: a packet being sent to your network's gateway does not have the gateway's IP address in it. Thus, reading tcpdump output without Ethernet addresses is not really telling you whether a packet was really sent to your gateway or whether it was just floating by on the network. Similarly if you are reading tcpdump output on the sending machine; until you look at the destination MAC, you don't actually know where the machine is sending the packets, you just think you know.

This is obvious once you think about it (assuming that you know enough about how IP works), as is its interaction with tcpdump being promiscuous and how switches can flood traffic through your network. But you do have to think about it, and not doing so has tripped me up at least twice now. It's certainly not intuitive that more or less the only thing your machine's IP stack does with your gateway's IP address is to ARP for its Ethernet address.

(I think one reason that this is so easy to overlook is that it feels like a layering violation. It's rational to think that the use of an IP gateway should be visible in the IP headers of a packet, instead of only showing up one lever lower.)

Comments on this page:

From at 2008-11-20 08:48:24:

I know this is a bit linux centric but what about the '-p' option to tcpdump? I don't think you have to put the interface in promiscuous mode, but you do have to add the extra arg. Seems easier to me than examining mac addresses.

By cks at 2008-11-20 15:33:13:

There's two problems. First, you can't always use tcpdump -p, for example if you're doing this on the sending machine, and second, using -p is fallible; the tcpdump manpage even contains a caution about this.

(You could use the incantation in the tcpdump manpage, though.)

Written on 19 November 2008.
« BitTorrent's file fragmentation problem
Combining dual identity routing and isolated interfaces revisited »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Nov 19 23:41:45 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.