If you capture on an interface which has a MAC address, then frames with this MAC address as a source one (eth.src == my:ma:ca:dd:re:ss) are egress and frames with other source MAC addresses (!(eth.src == my:ma:ca:dd:re:ss)) are ingress. If you capture on a port of a switch, nothing in the frame itself tells you the direction. But on switches with monitoring capabilities it is often possible (and useful for bandwidth-related reasons) to copy each direction of a source port to its own monitoring port, and capture on the two monitoring ports simultaneously, using two interfaces on the capturing machine. In this case, the interface id becomes the parameter telling you ingress frames from egress ones. You can make it a column in the packet list.
answered 24 Sep '16, 04:55
sindy
6.0k●4●8●51
accept rate: 24%
