When capturing packets with tcpdump on a circuit configured with the parameter "hide-vlan-header", the tcpdump output shows unexpected MAC addresses in outgoing packets.
When capturing packets with tcpdump on a circuit configured with the parameter
hide-vlan-header, the tcpdump output shows unexpected MAC addresses in outgoing packets.
The following example demonstrates this issue. The circuit vlan76 is configured with a VLAN tag 76 and the parameter
hide-vlan-header is set
CBS# show running-config circuit vlan76 circuit vlan76
default-egress-vlan-tag 76 hide-vlan-header
ip 172.16.76.1/24 172.16.76.255
When running tcpdump to capture traffic on this circuit, both source and destination MAC addresses in outgoing packets are not corresponding with the actual MAC addresses of the circuit and the neighbor device:
Alternatively, use the Linux commands
ip on the VAP:
fw_1 (CBS): ~# ip neighbor | grep 172.16.76.254
172.16.76.254 dev vlan76 lladdr 00:1c:58:d7:7c:7f REACHABLE
An untagged Ethernet header contains only MAC addresses and the Ethertype field. The untagged header length is 14 bytes. In case of tagged frames, the header also includes 802.1Q VLAN information that enlarges the header to 18 bytes.
When a circuit is configured with
hide-vlan-header, tcpdump gets only the last 14 bytes from the Ethernet header, but the packet data structure is already built with 18 bytes that includes the VLAN tag (the hexadecimal number 0x8100 specifies the 802.1Q VLAN protocol identifier and 0x004c is the VLAN number 76):
MAC destination: 001c 58d7 7c7f MAC source: 0003 d2f24102 802.1Q VLAN tag: 8100 004c
Because tcpdump interprets the packet data from an invalid offset, it displays incorrect MAC addresses in the output. This is a display issue only and doesn't have any impact on the actual traffic.
MAC addresses in incoming packets are displayed properly since the VLAN tag is already removed from the frames before tcpdump gets the data.
If VLAN tags are supported by the application installed on the VAP group, it is possible to remove the parameter
hide-vlan-header from the circuit configuration. When using Check Point SG R70 or any later version, it is recommended to remove this option to achieve the best performance.
To remove this parameter, you must re-enter the
default-egress-vlan-tag command without specifying this parameter: