Dump ethernet header / Source MAC / Destination MAC ************************************************************************ Ethernet Header: 14 octets ---- ---- ---- | ---- ---- ---- | ---- MAC destination MAC source Ethertype 6 octets 6 octets 2 octets ************************************************************************ Ethertype can be: 0x0800 IPv4 0x0806 ARP 0x8100 VLAN-tagged 0x86DD IPv6 0x8863 PPPOE Discovery 0x8864 PPPOE Session 0x88BF MikroTik RoMON (unofficial) ************************************************************************ Dump IPv4 encapsulated packets: server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s14 ip tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 14 bytes 2022-05-21 13:23:05.094660 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 60: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 13:23:05.094674 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 42: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 13:23:05.095456 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 190: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 13:23:05.097118 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 66: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 4 packets captured 59 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s14 ether proto 0x0800 tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 14 bytes 2022-05-22 13:39:14.234529 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 81: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-22 13:39:14.234612 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-22 13:39:14.235408 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 190: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-22 13:39:14.236703 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 66: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 4 packets captured 54 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s14 '(link[12:2] == 0x0800)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 14 bytes 2022-05-21 12:59:03.363489 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 190: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 12:59:03.365025 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 66: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 12:59:03.369899 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 94: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 12:59:03.369901 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 92: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 4 packets captured 45 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s14 '(link[12] == 0x08)' and '(link[13] == 0)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 14 bytes 2022-05-22 10:20:17.787364 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 190: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-22 10:20:17.789206 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 66: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-22 10:20:17.789207 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 66: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-22 10:20:17.789460 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 81: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 4 packets captured 104 packets received by filter 0 packets dropped by kernel ************************************************************************ Dump IP encapsulated packets with destination MAC address 1a:81:fb:cb:bd:7a server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s14 ip and ether dst "1a:81:fb:cb:bd:7a" tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 14 bytes 2022-05-21 13:25:43.958663 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 13:25:43.970354 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 85: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 13:25:43.976204 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 98: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 13:25:43.996383 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 88: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 4 packets captured 17 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s14 '(link[12:2] == 0x0800)' and '(link[0:4] == 0x1a81fbcb)' and '(link[4:2] == 0xbd7a)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 14 bytes 2022-05-21 12:59:23.893870 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 66: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 12:59:23.894879 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 60: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 12:59:23.897635 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 96: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 12:59:23.905659 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 91: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 4 packets captured 10 packets received by filter 0 packets dropped by kernel ******************************************************************************** Dump IP encapsulated packets with source MAC address 1a:81:fb:cb:bd:7a server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s14 ip and ether src "1a:81:fb:cb:bd:7a" tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 14 bytes 2022-05-21 13:26:41.418985 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 13:26:41.419432 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 190: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 13:26:41.424527 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 93: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 13:26:41.431420 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 4 packets captured 21 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s14 '(link[12:2] == 0x0800)' and '(link[6:4] == 0x1a81fbcb)' and '(link[10:2] == 0xbd7a)' tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 14 bytes 2022-05-21 12:59:39.470587 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 12:59:39.470877 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 84: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 12:59:39.471058 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 86: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 12:59:39.471402 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 190: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 4 packets captured 40 packets received by filter 0 packets dropped by kernel ******************************************************************************** Dump IP encapsulated packets with source or destination MAC address 1a:81:fb:cb:bd:7a server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s14 ip and ether host "1a:81:fb:cb:bd:7a" tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 14 bytes 2022-05-21 13:29:13.691432 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 190: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 13:29:13.693245 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 81: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 13:29:13.693336 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 97: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 13:29:13.694479 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 66: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 4 packets captured 32 packets received by filter 0 packets dropped by kernel server:~# tcpdump -i bond0 -c 4 -ennNN -xxXX -tttt -vvv -s14 '(link[12:2] == 0x0800)' and \( \( '(link[0:4] == 0x1a81fbcb)' and '(link[4:2] == 0xbd7a)' \) or \( '(link[6:4] == 0x1a81fbcb)' and '(link[10:2] == 0xbd7a)' \) \) tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 14 bytes 2022-05-21 13:30:51.090852 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 93: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 2022-05-21 13:30:51.090983 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 93: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 13:30:51.091411 1a:81:fb:cb:bd:7a > d8:9d:67:1a:38:c5, ethertype IPv4 (0x0800), length 190: [|ip] 0x0000: d89d 671a 38c5 1a81 fbcb bd7a 0800 ..g.8......z.. 2022-05-21 13:30:51.092584 d8:9d:67:1a:38:c5 > 1a:81:fb:cb:bd:7a, ethertype IPv4 (0x0800), length 96: [|ip] 0x0000: 1a81 fbcb bd7a d89d 671a 38c5 0800 .....z..g.8... 4 packets captured 49 packets received by filter 0 packets dropped by kernel