Wireshark mailing list archives

Re: capture filter with multiple vlans

From: Guy Harris <guy () alum mit edu>
Date: Thu, 4 Mar 2010 09:57:51 -0800


On Mar 3, 2010, at 8:24 AM, Filonenko Alexander-AAF013 wrote:

Capture filters seem to accept first vlan tag and drop the rest.


$ man pcap-filter       # or "man tcpdump", for versions of libpcap prior to 1.0.0

        ...

       vlan [vlan_id]
              True if the packet is an IEEE 802.1Q VLAN packet.  If  [vlan_id]
              is specified, only true if the packet has the specified vlan_id.
              Note that the  first  vlan  keyword  encountered  in  expression
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              changes  the decoding offsets for the remainder of expression on
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              the assumption that the packet  is  a  VLAN  packet.   The  vlan
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              [vlan_id]  expression  may  be used more than once, to filter on
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              VLAN hierarchies.  Each use of that  expression  increments  the
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              filter offsets by 4.
              ^^^^^^^^^^^^^^^^^^^

              For example:
                   vlan 100 && vlan 200
              filters on VLAN 200 encapsulated within VLAN 100, and
                   vlan && vlan 300 && ip
              filters  IPv4  protocols  encapsulated  in VLAN 300 encapsulated
              within any higher order VLAN.

Are there any tricks to handle more than one vlan?


Unfortunately, none that I know of.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

capture filter with multiple vlans Filonenko Alexander-AAF013 (Mar 04)
- Re: capture filter with multiple vlans Guy Harris (Mar 04)
  - Re: capture filter with multiple vlans Gerald Combs (Mar 04)
    - Re: capture filter with multiple vlans Sake Blok (Mar 04)
- <Possible follow-ups>
- Re: capture filter with multiple vlans Filonenko Alexander-AAF013 (Mar 10)