I am trying to filter through traffic that may or may not have a VN-Tag present. As this tag sits between the Ethernet and IP protocol sections it is messing up pcap filter elements. How do I go about working around these tags? asked 19 May '16, 10:35 jdwiegman edited 19 May '16, 12:56 JeffMorriss ♦ |
3 Answers:
You could use
answered 19 May '16, 14:10 cmaynard ♦♦ 1 It would probably be useful if the libpcap/tcpdump project were to support a more generic primitive, such as " (19 May '16, 18:15) cmaynard ♦♦ So would (19 May '16, 18:45) Guy Harris ♦♦ I was thinking of a primitive/construct that would effectively behave as:
So for 802.1Q:
And for 802.1ad:
For VNtag:
My proposed syntax was obviously missing the ethertype itself, so maybe (19 May '16, 19:34) cmaynard ♦♦ See Wireshark bug 12518 for another possible use case of the (15 Jun '16, 15:01) cmaynard ♦♦ |
Okay, then this looks like it doesn't work as it should, and you're talking about capture filter syntax a.k.a. BPF. Maybe you can work around using display filtering instead? If Wireshark can decode the VN-Tag it should be able to use display filters as usual. I'm not sure if it's the right place to open a bug report regaring capture filters, but you could head over to https://bugs.wireshark.org to create one. answered 19 May '16, 12:56 Jasper ♦♦ I was just coming back to point out that Wireshark does understand VN-tags--so @jdwiegman might be able to use those to achieve what s/he needs. Another possibility (if you can get all the VN-tagged frames in one file) would be to use And, no, Wireshark's not the place to request BPF enhancements--that would be something for tcpdump.org (19 May '16, 13:13) JeffMorriss ♦ |
For a pcap filter XXX, if you want to capture those packets regardless of whether the packets are VLAN-tagged or not, you do answered 19 May '16, 15:16 Guy Harris ♦♦ 1 This isn't about VLANs, but "VN"s - I had to ask, too :-) (19 May '16, 15:18) Jasper ♦♦ |
Do you mean VLAN tag? And why/how is it "messing up" filter elements?
VN-Tag, 0x8926 http://www.ieee802.org/1/files/public/docs2009/new-pelissier-vntag-seminar-0508.pdf
Its presence makes filter items like 'host X.X.X.X' not work, I am assuming because its now offset those elements.
I can filter for this traffic with a filter of 'ether proto 0x8926" but then I can't apply any other filters.
When you have a question about capture filters it's best to consult the pcap-filter(7) man page. There you'll find no mention of filters for VN-tags (like there are for VLAN-tags).
As far as I can tell there's no way to increment BPF's decoding offsets without using a known keyword like
vlan
but I'll let someone more knowledgeable in BPF to answer/confirm.Thanks Jeff. Yeah I saw that, and it looks like I have to go down the route of manually parsing the ethernet frame (at least until I have time to look to add a vn construct in the bpf code).