Re: vlan [xx] filter not filtering any packets

[Guy Harris <guy () alum mit edu>]

On Jun 10, 2009, at 11:12 AM, Guy Harris wrote:

> There are special hooks in Linux's BPF interpreter to allow  
> filtering on some data that's not in the packet data; libpcap  
> already uses that to handle fields in the constructed DLT_LINUX_SLL  
> header (it generates code assuming the header is at the beginning of  
> the packet and, if it determines that the filter will be handed to  
> the kernel, rewrites load instructions that load from the header to  
> load the corresponding items from packet metadata instead), and we  
> *might* be able to do the same with the reconstructed VLAN header  
> *if* the information from which it's reconstructed can be fetched by  
> the kernel's BPF interpreter.

Perhaps I'm missing something, but, at least in the 2.6.29 kernel, I  
don't see any way that the kernel's BPF interpreter (sk_run_filter()  
in net/core/filter.c) can get at skb->vlan_tci, so I don't think it's  
possible to make filtering of packets with the VLAN header stripped  
off work the same as filtering of packets with the VLAN header intact.

I would suggest that, when capturing on an interface where the VLAN  
tags get stripped off, you use filters without "vlan" - even though,  
when filtering the resulting capture file, you *would* use "vlan" in  
the filters.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.