Re: capturing vlan traffic on linux

[Karsten Keil <kkeil () suse de>]

On Wed, Jan 23, 2008 at 02:23:06PM -0800, Aaron Turner wrote:
> Box is Linux 2.6.12 kernel
> tcpdump 3.8
> libpcap 0.8.3
> Intel e1000 NIC
>
> Long story short,
>
> 1) when sniffing on the vlan tagged interface (eth0.5), I can see
> inbound and outbound traffic, but the ethernet frames are not tagged.
> 2) when sniffing on the physical interface (eth0) I can see only one
> direction of traffic (outbound I think), and again no vlan tags.
>
> Is it not possible to sniff traffic with the vlan tags if the traffic
> is destined or generated by the host?  Or do I need to upgrade
> something?

Thats the normal behavior I found out some time ago.
The VLAN processing is done in the driver (sometimes in the HW itself), this
is under the tcpdump interface layer.
If I need to debug VLAN issues on the wire I use a second PC on a HUB (or
a switch which allows port monitoring). Note: even here you need a card
which pass VLAN taged frames unchanged to the upper layers, some more
featured cards always remove TAGs  I know this for tg3 and bnx cards, in this
case (tg3,bnx) you have to disable the advanced monitor firmware on the
cards to see VLAN tags.

-- 
Karsten Keil
SuSE Labs
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.