Re: VLAN BPF filter

["Ambika Tripathy" <Ambika.Tripathy () exfo com>]

Thanks a lot Steinar,

Then how can we make a generic solution for VLAN and Q-n-Q VLAN filter
simultaneously with other complex filters at place. Because I see below
solution "'(ether[12:2]==0x8100) and (ether[14:2]&4095==7 or
ether[14:2]&4095==10)'" works fine if no IP or TCP layer filter present,
if those are present this expression should be "'vlan and
((ether[12:2]==0x8100) and (ether[14:2]&4095==7 or
ether[14:2]&4095==10))'".

Is it a bug in BPF or BPF only works for Q-n-Q VLAN if multiple VLAN tag
present in different scope of the filter expression. I mean scopes are
separated by brackets.



Br,
Ambika Prasad  Tripathy

-----Original Message-----
From: tcpdump-workers-owner () lists tcpdump org
[mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of
sthaug () nethelp no
Sent: Monday, August 22, 2011 8:28 PM
To: tcpdump-workers () lists tcpdump org; Ambika Tripathy
Subject: Re: [tcpdump-workers] VLAN BPF filter 

> I want to filter packets having VLAN id 7 or VLAN ID 10. Those are not
Q-n-Q VLAN ID. So what should be perfect BPF syntax for it.
>  
>
> When I tried using below syntax, it results only those packets having
VALN ID as 7 and src host 10.21.22.2.
> ""( ( vlan 7 and src host 10.21.22.2 ) or ( vlan 10  and dst host
10.21.22.3) )""

This is expected, because each "vlan" term adds another 2-byte offset
to the rest of the expression.

You need to do this manually, e.g.

tcpdump -ni em1 '(ether[12:2]==0x8100) and (ether[14:2]&4095==7 or
ether[14:2]&4095==10)'

Steinar Haug, Nethelp consulting, sthaug () nethelp no
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.