tcpdump mailing list archives

Re: VLAN BPF filter

From: sthaug () nethelp no
Date: Mon, 22 Aug 2011 16:58:12 +0200 (CEST)

I want to filter packets having VLAN id 7 or VLAN ID 10. Those are not Q-n-Q VLAN ID. So what should be perfect BPF 
syntax for it.

 

When I tried using below syntax, it results only those packets having VALN ID as 7 and src host 10.21.22.2.

""( ( vlan 7 and src host 10.21.22.2 ) or ( vlan 10  and dst host 10.21.22.3) )""


This is expected, because each "vlan" term adds another 2-byte offset
to the rest of the expression.

You need to do this manually, e.g.

tcpdump -ni em1 '(ether[12:2]==0x8100) and (ether[14:2]&4095==7 or ether[14:2]&4095==10)'

Steinar Haug, Nethelp consulting, sthaug () nethelp no
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

compile error of tcpdump levin (Aug 19)
- VLAN BPF filter Ambika Tripathy (Aug 22)
  - Re: VLAN BPF filter sthaug (Aug 22)
    - Re: VLAN BPF filter Ambika Tripathy (Aug 22)