tcpdump mailing list archives

Re: odd issue with Linux VLAN interface

From: Denis Ovsienko <denis () ovsienko info>
Date: Wed, 28 Jan 2015 08:26:35 +0000

---- On Wed, 28 Jan 2015 01:20:26 +0000 Michael Richardson  wrote ----


Denis Ovsienko <denis () ovsienko info> wrote:

The host has an Ethernet interface with only an IPv6 link-local address 
(eth0). On top of it there is a VLAN interface with VID 75 (eth0.75), 
IPv6 link-local address and IPv4 address 10.0.75.254/24. The difference 
is, when tcpdump runs with "-i eth0.75", it works as expected and 
displays ARP and, for instance, UDP from/to the network 
10.0.75.0/24. When run with "-i eth0", it displays only TCP from/to 
network 10.0.75.0. This looks wrong in two ways as the tagged packets 
should not appear on the bearing interface in the first place and even 
if they appear there the filter should exclude them, but instead of 
this it excludes all the other packets.


Tagged packets do appear, and if you add -e, you'll see the entire tag there 
too. At this point, it's hard to get the behaviour I think you want from 
the pcap compiler, which is to filter the traffic within the VLAN from the 
bearer. 

(I think that showing the tcp packets might be a fluke)


You are right:

root@homepc:~# tcpdump -pni eth0 -e not tcp
08:09:56.529239 00:0f:ea:18:f6:23 > d4:ca:6d:72:b1:da, ethertype 802.1Q (0x8100), length 58: vlan 75, p 0, ethertype 
IPv4, 109.74.202.168.6633 > 10.0.75.2.55847: Flags [R.], seq 0, ack 1992001615, win 0, length 0

Of course, "not ethertype ip and ip proto tcp" does not match and the right way to do this filtering on this interface 
is to filter by "vlan and not tcp" (just checked, works).

Thus the behaviour is the same as it used to be for years, both on tcpdump side and on Linux side. It must be the odd 
timing that kept me thinking the BPF filter had somewhere flipped to do the opposite from its normal job, I had checked 
several times before posting.

Thank you for help, Guy and Michael.

-- 
    Denis Ovsienko

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

odd issue with Linux VLAN interface Denis Ovsienko (Jan 27)
- Re: odd issue with Linux VLAN interface Guy Harris (Jan 27)
  - Re: odd issue with Linux VLAN interface Denis Ovsienko (Jan 27)
    - Re: odd issue with Linux VLAN interface Guy Harris (Jan 27)
    - Re: odd issue with Linux VLAN interface Denis Ovsienko (Jan 27)
    - Re: odd issue with Linux VLAN interface Michael Richardson (Jan 28)
- Re: odd issue with Linux VLAN interface Michael Richardson (Jan 27)
  - Re: odd issue with Linux VLAN interface Denis Ovsienko (Jan 28)
    - Re: odd issue with Linux VLAN interface Michael Richardson (Jan 28)