Why TCPDUMP shows Ethernet packet when querying TCP packet?

Question

I am using TCPDUMP to intercept the network traffic on an Android device. The command I use is

./tcpdump -tt -nn -vv tcp > tcp.log

In the result file (tcp.log), I found that there are not only TCP packets, but also some others with Ethernet address. (Some IP and Ethernet addresses are obfuscated due to privacy purpose).

1410451676.980763 IP (tos 0x0, ttl 41, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    54.204.ABC.144.80 > 172.31.DEF.178.59949: Flags [S.], seq 572870324, ack 3778403975, win 17898, options [mss 1380,sackOK,TS[|tcp]>

1410451676.980916 IP (tos 0x0, ttl 64, id 44656, offset 0, flags [DF], proto TCP (6), length 52)
    172.31.DEF.178.59949 > 54.204.ABC.144.80: Flags [.], seq 1, ack 1, win 1369, options [nop,nop,TS[|tcp]>

1410451676.982167 IP (tos 0x0, ttl 64, id 44657, offset 0, flags [DF], proto TCP (6), length 701)
172.31.DEF.178.59949 > 54.204.ABC.144.80: Flags [P.], seq 1:650, ack 1, win 1369, options [nop,nop,TS[|tcp]>

1410451676.996114 00:24:f9:c3:XX:00 > d8:50:e6:2b:YY:6a, ethertype IPv6 (0x86dd), length 86: 
0x0000:  6000 0000 0020 0634 2607 f8b0 400d 0c03  `......4&...@...
0x0010:  0000 0000 0000 00bc 2001 0468 0c80 4340  ...........h..C@
0x0020:  b040 b100 7831 4228 146c c1cc ceb8 fc7a  [email protected](.l.....z

1410451677.000783 00:24:f9:c3:XX:00 > d8:50:e6:2b:YY:6a, ethertype IPv6 (0x86dd), length 535: 
0x0000:  6000 0000 01e1 0634 2607 f8b0 400d 0c03  `......4&...@...
0x0010:  0000 0000 0000 00bc 2001 0468 0c80 4340  ...........h..C@
0x0020:  b040 b100 7831 4228 146c c1cc ceb8 fc7a  [email protected](.l.....z

1410451677.000935 d8:50:e6:2b:YY:6a > 00:24:f9:c3:XX:00, ethertype IPv6 (0x86dd), length 86: 
0x0000:  6000 0000 0020 0640 2001 0468 0c80 4340  `[email protected]@
0x0010:  b040 b100 7831 4228 2607 f8b0 400d 0c03  [email protected](&...@...
0x0020:  0000 0000 0000 00bc c1cc 146c 3b74 2fa9  ...........l;t/.

1410451677.011006 IP (tos 0x0, ttl 41, id 62137, offset 0, flags [DF], proto TCP (6), length 52)
    54.204.ABC.144.80 > 172.31.DEF.178.59949: Flags [.], seq 1, ack 650, win 75, options [nop,nop,TS[|tcp]>

In a regular TCP packet header, the result includes its timestamp (UNIX time), IP packet flag+options, source IP address+port, destination IP address+port, and TCP flags.

BUT, what I do not understand is that there are some Ethernet packets in between and according to the results, these packets include their MAC address, instead of IP address. Why is the case? Are they TCP packets?

Thanks for your answers/insights.

Unknown Unknown · Accepted Answer · 2014-09-12T09:26:37

All those packets are Ethernet packets.

The version of tcpdump you're using was apparently not built with IPv6 support, so, while it can recognize IPv4-over-Ethernet packets and printout the IP information, it can't recognize IPv6-over-Ethernet packets, and just prints out the Ethernet-layer information.

You should ask whoever built that version of tcpdump why it doesn't include IPv6 support.

Why TCPDUMP shows Ethernet packet when querying TCP packet?

1 Answers