tcpdump mailing list archives
Re: pcap filters on a VLAN
From: Guy Harris <guy () alum mit edu>
Date: Tue, 2 Dec 2003 14:12:00 -0800
On Dec 2, 2003, at 1:19 PM, sthaug () nethelp no wrote:
If not, how does one specify capturing IP packets within an Ethernet frame with a 802.1q VLAN header?ether[12:2]==0x8100 and ether[16:2]==0x800 or ether proto 0x8100 and ether[16:2]==0x800
Or, with sufficiently recent versions of libpcap/WinPcap:
vlan and ip
(his original filter of "ether proto 0x0800" could be replaced by "ip"
to capture IP packets; it, like "ether proto 0x0800, won't handle VLAN
packets).
What about filter that specify only UDP or TCP ports? Will those filterswork for both Ethernet frames and 802.1q VLAN frames?No.
But
vlan and udp port 2049
should work to capture UDP port 2049 traffic on VLANs, and
(udp port 2049) or (vlan and udp port 2049)
should capture UDP port 2049 with IP-atop-Ethernet and
IP-atop-VLAN-atop-Ethernet (just as
ip or (vlan and ip)
should capture IP traffic directly atop Ethernet and atop
VLAN-over-Ethernet).
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- pcap filters on a VLAN Puneet Sood (Dec 02)
- Re: pcap filters on a VLAN sthaug (Dec 02)
- Re: pcap filters on a VLAN Guy Harris (Dec 02)
- Re: pcap filters on a VLAN Chris Reining (Dec 02)
- Re: pcap filters on a VLAN sthaug (Dec 02)