how interpret MAC in pcap

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

how interpret MAC in pcap

L2 Linker

Hello,

I have a doubt about how to interpret macs in rx pcap and tx pcap. I thought that:
when the traffic enter a layer 3 interface:

the mac destination addres in rx file must be the mac of  ingress interface?
and in tx the source mac, must be the mac of eggres interface?

when the traffic enter a layer 2 interface:
the source and destination mac don't change, this is correct?

 

I had a problem with asymetric traffic , basically we had multiple links to the internet, our application was using NAT for ingress on one of our service links and our default internet access link for egress (which is a different link).

this problem could be understood by comparing the destination and the source mac addresses of the packets on rx and tx?

in this pcaps I saw stranged mac, but I don't know what I have to check to find this problem with nat?

 

1 accepted solution

Accepted Solutions

L7 Applicator

You are correct in your assertions:

When a packet arrives on an L3 interface, that packet's destination MAC should be the firewall's ingress interface.

When a packet arrives on an L2 interface, it will have the destination MAC of the next L3 hop.

 

Some odd MAC addresses in captures can be caused by technologies like VRRP/HSRP or other tech that uses a virtual MAC address.

 

If you can provide additional detail specifics like the actual MAC prefix, as well as the specifics about the NAT problem you're seeing it would also help.

View solution in original post

2 REPLIES 2

L7 Applicator

You are correct in your assertions:

When a packet arrives on an L3 interface, that packet's destination MAC should be the firewall's ingress interface.

When a packet arrives on an L2 interface, it will have the destination MAC of the next L3 hop.

 

Some odd MAC addresses in captures can be caused by technologies like VRRP/HSRP or other tech that uses a virtual MAC address.

 

If you can provide additional detail specifics like the actual MAC prefix, as well as the specifics about the NAT problem you're seeing it would also help.

hello,

Thank you very much for your help, the mac I see are for example for a SYN, [SYN, ACK]:

 

in rx pacap:                                                                             RETURN

source:                            destination:                                    source:                                 destination:                           

cisco_b3:7d:77              Vmware_a6:5a:f0                         Vmware_a6:99:e3              Vmware_a6:bc:05

                                        (here why isn't palo alto mac?)                                                   (here why isn't palo alto mac?)

in tx pcap:                                                                               RETURN

source:                            destination:                                    source:                                 destination:

Vmware_a6:bc:05         Vm_ware_a6:99:e3                      Vmware_a6:5a:f0              All-HSRP-routers-e9

 (here why isn't palo alto mac?)                                            (here why isn't palo alto mac?)

 

how affect MAC addres seen in pcap when you do source or destination nat?

Thank you very much.

  • 1 accepted solution
  • 3372 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!