https://live.paloaltonetworks.com/t5/general-topics/how-interpret-mac-in-pcap/m-p/219789#M63429 <P>You are correct in your assertions:</P><P>When a packet arrives on an L3 interface, that packet's destination MAC should be the firewall's ingress interface.</P><P>When a packet arrives on an L2 interface, it will have the destination MAC of the next L3 hop.</P><P>&nbsp;</P><P>Some odd MAC addresses in captures can be caused by technologies like VRRP/HSRP or other tech that uses a virtual MAC address.</P><P>&nbsp;</P><P>If you can provide additional detail specifics like the actual MAC prefix, as well as the specifics about the NAT problem you're seeing it would also help.</P> Thu, 28 Jun 2018 19:46:29 GMT gwesson 2018-06-28T19:46:29Z https://live.paloaltonetworks.com/t5/general-topics/how-interpret-mac-in-pcap/m-p/219732#M63424 <P>Hello,</P><P>I have a doubt about how to interpret macs in rx pcap and tx pcap. I thought that:<BR />when the traffic enter a layer 3 interface:</P><P>the mac destination addres in rx file must be the mac of&nbsp; ingress interface?<BR />and in tx the source mac, must be the mac of eggres interface?</P><P>when the traffic enter a layer 2 interface:<BR />the source and destination mac don't change, this is correct?</P><P>&nbsp;</P><P>I had a problem with asymetric traffic , b<SPAN>asically we had multiple links to the internet,&nbsp;our application&nbsp;was using NAT for ingress on one of our service links and our default internet access link for egress (which is a different link). </SPAN></P><P><SPAN>this problem could be&nbsp;understood by comparing the destination and the source mac addresses of the packets on&nbsp;rx and tx?</SPAN></P><P><SPAN>in this pcaps I saw stranged mac, but I don't know what I have to check to find this problem with nat?</SPAN></P><P>&nbsp;</P> Thu, 28 Jun 2018 15:58:45 GMT https://live.paloaltonetworks.com/t5/general-topics/how-interpret-mac-in-pcap/m-p/219732#M63424 Marivi 2018-06-28T15:58:45Z https://live.paloaltonetworks.com/t5/general-topics/how-interpret-mac-in-pcap/m-p/219789#M63429 <P>You are correct in your assertions:</P><P>When a packet arrives on an L3 interface, that packet's destination MAC should be the firewall's ingress interface.</P><P>When a packet arrives on an L2 interface, it will have the destination MAC of the next L3 hop.</P><P>&nbsp;</P><P>Some odd MAC addresses in captures can be caused by technologies like VRRP/HSRP or other tech that uses a virtual MAC address.</P><P>&nbsp;</P><P>If you can provide additional detail specifics like the actual MAC prefix, as well as the specifics about the NAT problem you're seeing it would also help.</P> Thu, 28 Jun 2018 19:46:29 GMT https://live.paloaltonetworks.com/t5/general-topics/how-interpret-mac-in-pcap/m-p/219789#M63429 gwesson 2018-06-28T19:46:29Z https://live.paloaltonetworks.com/t5/general-topics/how-interpret-mac-in-pcap/m-p/219870#M63446 <P>hello,</P><P>Thank you very much for your help, the mac I see are for example for a SYN, [SYN, ACK]:</P><P>&nbsp;</P><P><STRONG><FONT color="#0000ff">in rx pacap:&nbsp;&nbsp;</FONT></STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; RETURN</P><P>source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;destination:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P>cisco_b3:7d:77&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<STRONG>&nbsp;<FONT color="#ff0000"> Vmware_a6:5a:f0</FONT>&nbsp;&nbsp;&nbsp;&nbsp;</STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Vmware_a6:99:e3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; <STRONG><FONT color="#ff0000">Vmware_a6:bc:05</FONT></STRONG></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<FONT color="#ff0000">&nbsp; (here why isn't palo alto mac?)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (here why isn't palo alto mac?)</FONT></P><P><FONT color="#0000ff"><STRONG>in tx pcap:&nbsp;&nbsp;&nbsp;&nbsp;</STRONG>&nbsp;</FONT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;RETURN</P><P>source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;destination:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination:</P><P><STRONG><FONT color="#ff0000">Vmware_a6:bc:05&nbsp;</FONT></STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Vm_ware_a6:99:e3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<STRONG><FONT color="#ff0000">Vmware_a6:5a:f0&nbsp;</FONT></STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All-HSRP-routers-e9</P><P><FONT color="#ff0000">&nbsp;(here why isn't palo alto mac?)</FONT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<FONT color="#ff0000">&nbsp;(here why isn't palo alto mac?)</FONT></P><P>&nbsp;</P><P><FONT color="#000000">how affect MAC addres seen in pcap when you do source or destination nat?</FONT></P><P><FONT color="#000000"><FONT color="#000000">Thank you very much.</FONT></FONT></P> Fri, 29 Jun 2018 08:47:02 GMT https://live.paloaltonetworks.com/t5/general-topics/how-interpret-mac-in-pcap/m-p/219870#M63446 Marivi 2018-06-29T08:47:02Z