I have a network problem where frames with a source MAC which matches with one of my host's source MACs are arriving at the host – an apparent duplicate MAC, or loop, or other L2 problem.
I believe this is the situation because the MAC tables (CAM tables) of my linux bridge register a local MAC (for a hosted virtual machine ) as being on the upstream port, and the kernel logs show errors:
bridgename: received packet on bond0.2222 with own address as source address
I'd like to get more details about these "rogue" packets / frames, but I can't figure out how to zero in on them. With tcpdump you can filter on a particular source MAC ( 'ether src MAC' ), but this is based on the bytes in the frame – not whether the frame was "sent out" versus "received in". We usually assume a frame with our source MAC means we're sending it out, but if a duplicate frame were received, the contents would look exactly the same to the filter.
How can one observe whether a frame was received versus transmitted in a packet capture?
Best Answer
Use
--directionoption to tcpdump: