MAC address anomaly in tcpdump captures

book

Article ID: 167935

calendar_today

Updated On:

Products

XOS

Issue/Introduction

When capturing packets with tcpdump on a circuit configured with the parameter "hide-vlan-header", the tcpdump output shows unexpected MAC addresses in outgoing packets.
When capturing packets with tcpdump on a circuit configured with the parameter hide-vlan-header, the tcpdump output shows unexpected MAC addresses in outgoing packets.

The following example demonstrates this issue. The circuit vlan76 is configured with a VLAN tag 76 and the parameter hide-vlan-header is set:

CBS# show running-config circuit vlan76
circuit vlan76
  device-name vlan76
  vap-group fw
    default-egress-vlan-tag 76 hide-vlan-header
    ip 172.16.76.1/24 172.16.76.255


When running tcpdump to capture traffic on this circuit, both source and destination MAC addresses in outgoing packets are not corresponding with the actual MAC addresses of the circuit and the neighbor device:

fw_1 (CBS): ~# tcpdump -c 1 -enni vlan76 dst host 172.16.76.254
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan76, link-type EN10MB (Ethernet), capture size 96 bytes
13:19:54.033074 41:02:81:00:00:4c > 7c:7f:00:03:d2:f2, ethertype IPv4 (0x0800), length 74: 172.16.76.1.48763 > 172.16.76.254.23: S 3970984189:3970984189(0) win 5840 <mss 1460,sackOK,timestamp 1304490343 0,nop,wscale 7>
1 packets captured
1 packets received by filter
0 packets dropped by kernel


The real circuit MAC address can be displayed in XOS CLI with show circuit (some output is omitted for brevity), or by using Linux commands ifconfig or ip on the VAP:

CBS# show circuit vlan76
Circuit Name                          : vlan76
Circuit-Id                            : 1034
Device Name                           : vlan76
...
Default Egress Vlan Tag               : 76
Hide VLAN Header (true/false)         : t
Replace Egress Vlan Tag               : N/A
MAC Address                           : 00:03:d2:f2:41:02
MTU                                   : 1500
Management Circuit (true/false)       : f
Enable (true/false)                   : t
Primary Type                          : primary
IP Address                            : 172.16.76.1/24
IP Broadcast Address                  : 172.16.76.255
Increment-per-vap Mode (true/false)   : f


fw_1 (CBS): ~# ip link show dev vlan76
13: vlan76: <BROADCAST,MULTICAST,DEBUG,UP,LOWER_UP> mtu 1500 qdisc noqueue
    link/ether 00:03:d2:f2:41:02 brd ff:ff:ff:ff:ff:ff
 

To display the ARP cache and see the MAC address of the neighbor device, you can use the XOS CLI command show arp:

CBS# grep 172.16.76.254 show arp
fw_1       172.16.76.254   00:1c:58:d7:7c:7f dynamic vlan76

Alternatively, use the Linux commands arp or ip on the VAP: 
 
fw_1 (CBS): ~# ip neighbor | grep 172.16.76.254
172.16.76.254 dev vlan76 lladdr 00:1c:58:d7:7c:7f REACHABLE
 

Cause

An untagged Ethernet header contains only MAC addresses and the Ethertype field. The untagged header length is 14 bytes. In case of tagged frames, the header also includes 802.1Q VLAN information that enlarges the header to 18 bytes. 

When a circuit is configured with hide-vlan-header, tcpdump gets only the last 14 bytes from the Ethernet header, but the packet data structure is already built with 18 bytes that includes the VLAN tag (the hexadecimal number 0x8100 specifies the 802.1Q VLAN protocol identifier and 0x004c is the VLAN number 76):
 
MAC destination: 001c 58d7 7c7f
MAC source:      0003 d2f2 4102
802.1Q VLAN tag: 8100 004c
Ethertype:       0800

Because tcpdump interprets the packet data from an invalid offset, it displays incorrect MAC addresses in the output. This is a display issue only and doesn't have any impact on the actual traffic. 

MAC addresses in incoming packets are displayed properly since the VLAN tag is already removed from the frames before tcpdump gets the data.

Resolution

If VLAN tags are supported by the application installed on the VAP group, it is possible to remove the parameter hide-vlan-header from the circuit configuration.  When using Check Point SG R70 or any later version, it is recommended to remove this option to achieve the best performance.

To remove this parameter, you must re-enter the default-egress-vlan-tag command without specifying this parameter:

CBS# configure circuit vlan76 vap-group fw default-egress-vlan-tag 76

CBS# show running-config circuit vlan76
circuit vlan76
  device-name vlan76
  vap-group fw
    default-egress-vlan-tag 76
    ip 172.16.76.1/24 172.16.76.255

The parameter hide-vlan-header is removed and the VLAN header is now exposed to applications on the VAP.

Note that when filtering tcpdump output using IP filter expressions, it is necessary to include the keyword vlan and optionally specify the VLAN number. Otherwise tcpdump would search untagged frames.

fw_1 (CBS): ~# tcpdump -c1 -enni vlan76 vlan and dst host 172.16.76.254
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan76, link-type EN10MB (Ethernet), capture size 96 bytes
16:05:48.597562 00:03:d2:f2:41:02 > 00:1c:58:d7:7c:7f, ethertype 802.1Q (0x8100), length 78: vlan 76, p 0, ethertype IPv4, 172.16.76.1.46825 > 172.16.76.254.23: S 1593360639:1593360639(0) win 5840 <mss 1460,sackOK,timestamp 1314446398 0,nop,wscale 7>
1 packets captured
1 packets received by filter
0 packets dropped by kernel
 
The output displays expected local and remote MAC addresses. 

Workaround

To verify actual MAC addresses in frames as they leave the chassis, you can use the tcpdump feature on the NPM. See the section References, later in this article.