Just a quick tip on how to display MAC addresses in the TCPdump utility.
Simply use the “-e” switch.
tcpdump -i INTERFACENAME -e
Without the -e switch:
[CheckPoint]# tcpdump -i bond2.100 -n
12:28:42.257902 IP 10.20.20.31.49155 > 10.254.25.116.49929: . ack 1831 win 513
12:28:42.258620 IP 10.20.20.31.49155 > 10.254.25.116.49929: P 1:286(285) ack 1831 win 513
With the -e switch:
[CheckPoint]# tcpdump -i bond2.100 -en
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond2.100, link-type EN10MB (Ethernet), capture size 96 bytes
12:28:02.676263 00:00:85:83:c1:fc > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.254.25.48 tell 10.254.25.222
12:28:02.789472 c4:34:6b:53:b9:f4 > 8c:dc:d4:aa:0e:bd, ethertype IPv4 (0x0800), length 208: 10.254.25.128.49905 > 10.20.204.https: P 2852867481:2852867635(154) ack 1634338568 win 25
Thank you, man.
I was lazy enough to scour TCPDUMP(8) – and you gave a short and useful answer (with example).
Awesome!
very helpful. Thank you for providing this info
saved lots of time for me:) thanks !