tcpdump (-i any) with vlan

[Tsachi <tsachi.kimel () gmail com>]

I have a question regarding tcpdump (capturing all interfaces) and a
strange capture I see.

Environment:


Linux Kernel 2.6.35.12

tcpdump version 4.4.0

libpcap version 1.4.0

2 Linux devices connected and configured with VLAN TAG (802.1q). I am
pinging between the 2 device vlan interfaces, network wise everything works
well. When using tcpdump to capture all interfaces tcpdump –i any –n –e.

I am seeing this:

The first 3 packets looks fine

Received on the main interface (tagged):

-6:-45:-40.2216 In 00:11:22:33:44:56 ethertype 802.1Q (0x8100), length 104:
vlan 10, p 0, ethertype IPv4, 10.0.0.10 > 10.0.0.1: ICMP echo request, id
2452, seq 487, length 64

Received on the vlan interface (untagged):

-6:-45:-40.2217 In 00:11:22:33:44:56 ethertype IPv4 (0x0800), length 100:
10.0.0.10 > 10.0.0.1: ICMP echo request, id 2452, seq 487, length 64

Sent from the vlan interface (untagged):

-6:-45:-40.2221 Out 00:11:22:33:44:55 ethertype IPv4 (0x0800), length 100:
10.0.0.1 > 10.0.0.10: ICMP echo reply, id 2452, seq 487, length 64

But the fourth sent from the main interface looks erroneous:

-6:-45:-40.2223 Out 00:11:22:33:44:55 ethertype 802.1Q (0x8100), length
100: vlan 1280, p 2, ethertype Unknown, LLC, dsap SNA (0x04) Group, ssap
Unknown (0x3e) Response, ctrl 0x0000: Information, send seq 0, rcv seq 0,
Flags [Response], length 80

When defining the specific interface (eth0 or eth0.10) to tcpdump it looks
well:

"tcpdump -i usb0 -n -e"

-6:-13:00.40042 00:11:22:33:44:56 > 00:11:22:33:44:55, ethertype 802.1Q
(0x8100), length 102: vlan 10, p 0, ethertype IPv4, 10.0.0.10 > 10.0.0.1:
ICMP echo request, id 2452, seq 2442, length 64 -6:-13:00.40100
00:11:22:33:44:55 > 00:11:22:33:44:56, ethertype 802.1Q (0x8100), length
102: vlan 10, p 0, ethertype IPv4, 10.0.0.1 > 10.0.0.10: ICMP echo reply,
id 2452, seq 2442, length 64

"tcpdump -i usb0.10 -n –e"

-6:-52:-14.5791 00:11:22:33:44:56 > 00:11:22:33:44:55, ethertype IPv4
(0x0800), length 98: 10.0.0.10 > 10.0.0.1: ICMP echo request, id 2452, seq
94, length 64 -6:-52:-14.5795 00:11:22:33:44:55 > 00:11:22:33:44:56,
ethertype IPv4 (0x0800), length 98: 10.0.0.1 > 10.0.0.10: ICMP echo reply,
id 2452, seq 94, length 64

Currently, I work with an usb network interface but the same goes for
Ethernet (eth0 / eth0.10).

The extra 2 bytes when using –i any are because Linux adds its Linux cooked
2 bytes.

Saving to a file and watching it with wireshark, it seems that the 4 VLAN
ID bytes are missing in the erroneous packet (only with -i any).

Any idea why does tcpdump shows this line when using –i any ?

Since traffic is working well, I guess it is libpcap/tcpdump issue ?

-6:-45:-40.2223 Out 00:11:22:33:44:55 ethertype 802.1Q (0x8100), length
100: vlan 1280, p 2, ethertype Unknown, LLC, dsap SNA (0x04) Group, ssap
Unknown (0x3e) Response, ctrl 0x0000: Information, send seq 0, rcv seq 0,
Flags [Response], length 80

Thanks,
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers