Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0

[Alexander Dupuy <alex.dupuy () mac com>]

Lei Wei writes:
> if I use the filter "ip or (vlan and ip)", the packet returned from 
> pcap contains the VLAN tag. I wonder
> if there's a way to let the OS to strip off the tag before deliverying?

It really depends on the OS - I can't say anything about FreeBSD.  While 
it is possible to have Linux strip VLAN tags from trunked interfaces 
(and add them on outgoing) I don't know whether this happens before or 
after the Packet socket stuff (used by libpcap on Linux) gets involved.

There are tools that will take tcpdump savefiles with VLAN tagged 
packets and convert them to remove that: tcprewrite (part of the 
tcpreplay package - http://tcpreplay.synfin.net/) makes it very easy:

tcprewrite also allows you to add or remove 802.1q VLAN tag information 
from Ethernet frames. Removing the 802.1q tag information is as simple 
as specifying /--vlan=del/:

   *$* tcprewrite --enet-vlan=del --infile=input.pcap
   --outfile=output.pcap

If your application requires direct libpcap access (e.g. it modifies BPF 
filters dynamically) this may not work for you, but if you have an 
offline analysis application, it could do the trick.

@alex

--
mailto:alex.dupuy () mac com

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.