Wireshark mailing list archives

Re: filter out PVST packets?

From: Guy Harris <guy () alum mit edu>
Date: Thu, 27 Oct 2011 22:51:06 -0700


On Oct 26, 2011, at 10:00 AM, Dave Sparks wrote:

Any pointers on how to filter out PVST packets?

# tshark -i vlan701 not stp
Capturing on vlan701
 0.000000 Cisco_6a:50:13 -> PVST+        STP RST. Root = 0/1/00:12:f2:94:dc:00  Cost = 7  Port = 0x8013
 2.013488 Cisco_6a:50:13 -> PVST+        STP RST. Root = 0/1/00:12:f2:94:dc:00  Cost = 7  Port = 0x8013
 4.026868 Cisco_6a:50:13 -> PVST+        STP RST. Root = 0/1/00:12:f2:94:dc:00  Cost = 7  Port = 0x8013
 6.039309 Cisco_6a:50:13 -> PVST+        STP RST. Root = 0/1/00:12:f2:94:dc:00  Cost = 7  Port = 0x8013


PVSTP+ does *NOT* use the standard Ethernet type or LLC SAP for STP; instead, it uses SNAP and an OUI of 00:00:0C and a 
protocol ID of 0x010b.  Unfortunately, there's no simple primitive to check for SNAP+{OUI}+{Protocol ID}.  The way you 
way you do that is dependent on the link layer type; for Ethernet I think it'd be

        ether[12:2] <= 1500 and ether[14:4] == 0xaaaa0300 and ether[18:4] == 0x000c0010b
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

filter out PVST packets? Dave Sparks (Oct 26)
- Re: filter out PVST packets? Martin Visser (Oct 26)
- Re: filter out PVST packets? Guy Harris (Oct 27)
  - Re: filter out PVST packets? Guy Harris (Oct 28)