This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

PCAP Filter with VN-Tag Present

0

I am trying to filter through traffic that may or may not have a VN-Tag present. As this tag sits between the Ethernet and IP protocol sections it is messing up pcap filter elements. How do I go about working around these tags?

asked 19 May '16, 10:35

jdwiegman's gravatar image

jdwiegman
31226
accept rate: 100%

edited 19 May '16, 12:56

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

Do you mean VLAN tag? And why/how is it "messing up" filter elements?

(19 May '16, 10:39) Jasper ♦♦

VN-Tag, 0x8926 http://www.ieee802.org/1/files/public/docs2009/new-pelissier-vntag-seminar-0508.pdf

Its presence makes filter items like 'host X.X.X.X' not work, I am assuming because its now offset those elements.

(19 May '16, 10:41) jdwiegman

I can filter for this traffic with a filter of 'ether proto 0x8926" but then I can't apply any other filters.

(19 May '16, 11:57) jdwiegman

When you have a question about capture filters it's best to consult the pcap-filter(7) man page. There you'll find no mention of filters for VN-tags (like there are for VLAN-tags).

As far as I can tell there's no way to increment BPF's decoding offsets without using a known keyword like vlan but I'll let someone more knowledgeable in BPF to answer/confirm.

(19 May '16, 13:02) JeffMorriss ♦

Thanks Jeff. Yeah I saw that, and it looks like I have to go down the route of manually parsing the ethernet frame (at least until I have time to look to add a vn construct in the bpf code).

(19 May '16, 13:07) jdwiegman

3 Answers:

2

You could use vlan if the vntag was 4 bytes, but since it's 6 bytes you'll have to compute offsets, at least until a new BPF keyword is added to support it. Maybe something like the following will temporarily suffice?

 "ether proto 0x8926 and ether[22:2] = 0x0800 and (ether[36:4] = 0xXXXXXXXX or ether[40:4] = 0xXXXXXXXX)"

answered 19 May '16, 14:10

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

1

It would probably be useful if the libpcap/tcpdump project were to support a more generic primitive, such as "skip n" or "offset n" ... where n is an arbitrary positive integer. This would allow you to be able to skip an arbitrary number of bytes.

(19 May '16, 18:15) cmaynard ♦♦

So would skip n adjust the offset just as vlan does, but always match, so that vlan would be equivalent to (ether proto 0x8100 or ether proto 0x88a8 or ether proto 0x9100) and skip 4, i.e. testing for the three types it (currently) recognizes as VLAN tag Ethertype values and, if it matches, skips 4 bytes?

(19 May '16, 18:45) Guy Harris ♦♦

I was thinking of a primitive/construct that would effectively behave as:

    if ethertype == 0xXXXX
            skip n bytes

So for 802.1Q:

    if ethertype == 0x8100
            skip 4 bytes

And for 802.1ad:

    if ethertype == 0x88a8 
            skip 8 bytes

For VNtag:

    if ethertype == 0x8926 
            skip 10 bytes

My proposed syntax was obviously missing the ethertype itself, so maybe skip(etype,n) is a better illustration of the general idea?

(19 May '16, 19:34) cmaynard ♦♦

See Wireshark bug 12518 for another possible use case of the skip primitive (or whatever it might eventually be called if implemented), this one for the Cisco Nexus Time Tag.

(15 Jun '16, 15:01) cmaynard ♦♦

0

Okay, then this looks like it doesn't work as it should, and you're talking about capture filter syntax a.k.a. BPF. Maybe you can work around using display filtering instead? If Wireshark can decode the VN-Tag it should be able to use display filters as usual.

I'm not sure if it's the right place to open a bug report regaring capture filters, but you could head over to https://bugs.wireshark.org to create one.

answered 19 May '16, 12:56

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I was just coming back to point out that Wireshark does understand VN-tags--so @jdwiegman might be able to use those to achieve what s/he needs.

Another possibility (if you can get all the VN-tagged frames in one file) would be to use editcap -C to strip the tags out.

And, no, Wireshark's not the place to request BPF enhancements--that would be something for tcpdump.org

(19 May '16, 13:13) JeffMorriss ♦

0

For a pcap filter XXX, if you want to capture those packets regardless of whether the packets are VLAN-tagged or not, you do {XXX} or (vlan and {XXX}. So, for example, to capture UDP packets to port 53, regardless of whether they're in VLAN-tagged frames or not, you have to do udp port 53 or (vlan and udp port 53).

answered 19 May '16, 15:16

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

1

This isn't about VLANs, but "VN"s - I had to ask, too :-)

(19 May '16, 15:18) Jasper ♦♦