tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "not vlan" filter expression broken catastrophically!

From: Guy Harris <guy () alum mit edu>
Date: Fri, 1 Feb 2013 18:18:52 -0800

On Feb 1, 2013, at 4:49 AM, Bill Fenner <fenner () aristanetworks com> wrote:


We have wanted to fix the vlan support ever since it was added.


The "vlan" keyword serves two purposes:

        1) matching VLAN-encapsulated packets or VLAN-encapsulated packets on a particular VLAN;

        2) handling the extra MAC-layer header length due to the VLAN header.

That's also the case for "pppoed" and "mpls".

2), in the best of all possible worlds, would be done by having filter programs that can, without much performance 
penalty, check for higher-level protocol types in the presence of 
VLAN/MPLS/PPPoE/GTP/fill-in-your-encapsulation-layering headers, so that "tcp port 80" would find all packets on the 
network that are going to or from TCP port 80, regardless of how IP is encapsulated.  If you wanted only 
VLAN-encapsulated packets going to or from TCP port 80, you'd do "vlan and tcp port 80"; if you only wanted 
*non*-VLAN-encapsulated packets going to or from TCP port 80, you'd do "not vlan and tcp port 80".  "vlan" (and 
"pppoed" and "mpls") would only handle 1) (and its equivalents).

Unfortunately, that requires changes to the machine code language for filter programs, so you'd have to somehow deal 
with systems where the kernel has a filtering engine but it doesn't support those changes.

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: