RX and TX packets identification
When I am capturing packets of some intarface how can I detect which are RX and TX packets?
Depends on the network technology in use, but for the most common Ethernet, Tx packets will have the MAC address of the interface as the source and Rx packets will have the MAC address as the destination.
I am monitoring wlan0. So if I have this:
Receiver address: Broadcast (ff:ff:ff:ff:ff:ff)
Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
Transmitter address: Ubiquiti_5c:4f:18 (00:15:6d:5c:4f:18)
Does it means it is TX packet?
Broadcasts (i.e. with a MAC address of all f) are a bit more difficult to work out.
In the case shown above, which is Wi-Fi not Ethernet, additional info is available which shows the mac address of the transmitter (Transmitter address). All packets are effectively both Tx and Rx packets, generally what counts is who transmitted the packet and who was the intended recipient.
This also points out another issue when determining if a packet is an "Rx" packet, in that if the capture interface is in promiscuous mode (or monitoring for Wi-Fi), then the interface will "receive" packets not intended for that interface. Whether you count those as "Rx" packets is up to you.
How can I find out, who has transmitted the packet? Interface is in monitoring mode. In the packet is:
Source address: IntelCor_03:13:ee (60:6c:66:03:13:ee)
It means IntelCor_03:13:ee (60:6c:66:03:13:ee) has transmitted the packet?
Yes. That is the MAC address of the interface used on the packet transmitter.
But in some packets I don't have Source address, just receiver address:
Type/Subtype: Acknowledgement (0x001d)
Receiver address: SamsungE_6e:f9:7f (a8:9f:ba:6e:f9:7f)
Is it possible to find out who has transmitted the packet?
To enter a block of code:
Comments