This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problem with VLAN filtering, live vs. recorded

We have a Linux box connected to a mirror port on a Juniper router. If I use tcpdump or tethereal to view packets live, I cannot filter by VLAN, but I can by host, e.g.
tethereal -i eth2 -n host www.example.com works, while
tethereal -i eth2 -n vlan 123 and host www.example.com does not.
If I record a pcap file, e.g.
tethereal -i eth2 -w my.cap -c 400
then I can replay it with e.g.
tcpdump -r my.cap -n vlan and host www.example.com
or
tcpdump -r my.cap -n vlan 123 host www.example.com
but not
tcpdump -r my.cap -n host www.example.com

It is particularly annoying that we cannot filter live by VLAN, e.g.
tethereal -i eth2 -n vlan 123
On an older router (Nortel Passport), this worked.

We have libpcap-1.4.0 on CentOS 6 with a Mellanox driver v2.0 and a MT26448 card, connected to a Juniper EX9008 router.

I want to be able to filter live by VLAN number. Is this something I can do with the right syntax, or is it an issue with the driver or OS or hardware ?

capture-filter vlan

asked 17 Oct '14, 16:15

adaviel
1●2●2●2
accept rate: 0%

could you please post the output of the following commands on your system?

tcpdump -d vlan 123 and host www.example.com
tcpdump -d host www.example.com
tcpdump -ni eth2 -w - | od -x

please add the expected VLAN and traffic (IPs, protocol, ports, etc.)

HINT: the last command could produce a lot of output, depending on the traffic!

(21 Oct '14, 07:39) Kurt Knochner ♦

The web form won't let me add that much text. See http://andrew.triumf.ca/tcpdump_vlan.txt

I tried building the latest tarballs from tcpdump.org but they have the same issue.

(22 Oct '14, 17:16) adaviel

can you please add the output of the following command:

tcpdump -ni eth2 -w - | od -x

this is without writing a capture file to disk.

(23 Oct '14, 12:04) Kurt Knochner ♦

OK, I've updated the link. How exactly is that different ? Is tcpdump -w x.cap different from tcpdump -w - > x.cap ? Reading from a file or stdin, they seem identical

(23 Oct '14, 14:26) adaviel

2 Answers:

Linux does annoying things to VLAN tags in packets received on PF_PACKET sockets (libpcap uses PF_PACKET sockets on Linux), and libpcap doesn't yet compensate for that in the code that compiles filters. It does attempt to undo the things Linux does to the tags, so you see the packets complete with VLAN tags, so filters on a file containing those reconstructed packets works.

answered 18 Oct '14, 01:02

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

Do you have any details ? Is it possible to patch libpcap or the network driver so that it will work ?

(20 Oct '14, 17:26) adaviel

http://lists.openwall.net/netdev/2008/07/08/31 talks about some of the problems. There was a blog entry on it as well, can't find that anymore.

(21 Oct '14, 05:45) Jaap ♦

That's talking about kernel patches added in 2008. I believe that the one to linux/if_vlan.h is included in 2.6.32. I don't understand whether the patch is supposed to fix my problem, or whether it causes my problem.

(22 Oct '14, 17:30) adaviel

Take note of this part: "There are mainly two remaining problems with this approach:" which suggests to me that there are residual problems even after these patches applied.

(23 Oct '14, 02:01) Jaap ♦

0	This may be fixed in libpcap 1.7.x See issue 390 answered 04 Nov '14, 14:02 adaviel 1●2●2●2 accept rate: 0%