Re: odd issue with Linux VLAN interface

[Guy Harris <guy () alum mit edu>]

On Jan 27, 2015, at 4:09 PM, Denis Ovsienko <denis () ovsienko info> wrote:

> some time ago I did troubleshooting on a Linux PC and that involved running tcpdump with the "not tcp" filter on a 
> few network interfaces to put a number of background TCP connections out of scope (I was interested how other 
> protocols' packets were making from one interface to the other). At some point I had realized that tcpdump was 
> printing TCP packets _only_ and no other protocols (again, the filter was "not tcp"). Later I figured it out how to 
> reproduce the problem but not the cause of it.
>
> The host has an Ethernet interface with only an IPv6 link-local address (eth0). On top of it there is a VLAN 
> interface with VID 75 (eth0.75), IPv6 link-local address and IPv4 address 10.0.75.254/24. The difference is, when 
> tcpdump runs with "-i eth0.75", it works as expected and displays ARP and, for instance, UDP from/to the network 
> 10.0.75.0/24. When run with "-i eth0", it displays only TCP from/to network 10.0.75.0. This looks wrong in two ways 
> as the tagged packets should not appear on the bearing interface in the first place and even if they appear there the 
> filter should exclude them, but instead of this it excludes all the other packets.

I.e., "tcpdump -i eth0 not tcp" prints *only* TCP packets?

Just out of curiosity, what does "tcpdump -i eth0 -d not tcp" print?
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers