First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

RX and TX packets identification

  • retag add tags

When I am capturing packets of some intarface how can I detect which are RX and TX packets?

vladinko0's avatar
7
vladinko0
asked 2019-10-11 09:56:33 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Depends on the network technology in use, but for the most common Ethernet, Tx packets will have the MAC address of the interface as the source and Rx packets will have the MAC address as the destination.

grahamb's avatar
23.8k
grahamb
answered 2019-10-11 10:05:22 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I am monitoring wlan0. So if I have this:

Receiver address: Broadcast (ff:ff:ff:ff:ff:ff) 
Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
Transmitter address: Ubiquiti_5c:4f:18 (00:15:6d:5c:4f:18)

Does it means it is TX packet?

vladinko0's avatar vladinko0 (2019-10-11 10:28:34 +0000) edit
more
  • delete

Broadcasts (i.e. with a MAC address of all f) are a bit more difficult to work out.

In the case shown above, which is Wi-Fi not Ethernet, additional info is available which shows the mac address of the transmitter (Transmitter address). All packets are effectively both Tx and Rx packets, generally what counts is who transmitted the packet and who was the intended recipient.

This also points out another issue when determining if a packet is an "Rx" packet, in that if the capture interface is in promiscuous mode (or monitoring for Wi-Fi), then the interface will "receive" packets not intended for that interface. Whether you count those as "Rx" packets is up to you.

grahamb's avatar grahamb (2019-10-11 10:44:08 +0000) edit
more
  • delete

How can I find out, who has transmitted the packet? Interface is in monitoring mode. In the packet is:

Source address: IntelCor_03:13:ee (60:6c:66:03:13:ee)

It means IntelCor_03:13:ee (60:6c:66:03:13:ee) has transmitted the packet?

vladinko0's avatar vladinko0 (2019-10-11 11:04:48 +0000) edit
more
  • delete

Yes. That is the MAC address of the interface used on the packet transmitter.

grahamb's avatar grahamb (2019-10-11 11:38:59 +0000) edit
more
  • delete

But in some packets I don't have Source address, just receiver address:

Type/Subtype: Acknowledgement (0x001d)
Receiver address: SamsungE_6e:f9:7f (a8:9f:ba:6e:f9:7f)

Is it possible to find out who has transmitted the packet?

vladinko0's avatar vladinko0 (2019-10-11 12:28:20 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer