This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to capture across VLANs?

0

I want to capture all packets on all vlans EXCEPT some port ranges. We have a port mirror in place and are receiving vlan tagged packets as expected. Currently, I've only been able to get capture filters working if we explicitly write 'vlan' in the filter (see below). Is there a way to apply a capture filter that applies to all vlans?

not ((udp portrange 14336-14600) or (vlan 701 and udp portrange 14336-14600))

The above capture essentially has two statement or'd together, my question is: is it possible to condense this? We have multiple ranges of ports we want to filter, and it gets very cumbersome (and buggy) to string so many together. Is there some syntax to use the udp portrange regardless of any vlan (or without a vlan tag)?

Thanks in advance for any help.

asked 13 Sep '16, 09:19

PropellerHead's gravatar image

PropellerHead
6114
accept rate: 0%

Followup, here's the filter I'm trying to achieve (which doesn't work). It seems to let some port ranges through that we wouldn't expect.

(not (udp portrange 14336-14600 or udp portrange 319-320 or udp port 9998)) and (not ((vlan 701 and udp portrange 14336-14600) or (vlan 701 and udp portrange 319-320) or (vlan 701 and udp port 9998)) )

(13 Sep '16, 09:33) PropellerHead

One Answer:

1

If you want to capture traffic for all vlan's, simply omit the optional vlan_id, 701 in this case.

So, to achieve what you want, I think the following capture filter should work:

vlan and not (udp portrange 14336-14600 or udp portrange 319-320 or udp port 9998)

Here you'll notice that I placed the vlan keyword first, since the pcap-filter man page indicates that, "Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a VLAN packet."

answered 13 Sep '16, 10:53

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thanks for the response.

Maybe I didn't explain thoroughly enough... some of the packets don't have a vlan tag either. On this particular switch, local traffic doesn't have a vlan tag but anything coming from another switch (fiber trunk) has vlan tag. Can your filter be modified to include non-vlan tagged packets?

(13 Sep '16, 13:10) PropellerHead

In that case, you need to duplicate the UDP port exclusion portion of the capture filter:

(not (udp portrange 14336-14600 or udp portrange 319-320 or udp port 9998)) or (vlan and not (udp portrange 14336-14600 or udp portrange 319-320 or udp port 9998))
(13 Sep '16, 13:14) cmaynard ♦♦

For some reason, tagged and untagged packets from the 14K port range are still showing up in my captures. To be clear, the port ranges are all destination ports.

(13 Sep '16, 14:22) PropellerHead

Perhaps you could post a sample capture to cloudshark (or elsewhere) of the traffic that you're capturing for which you are trying to avoid capturing?

(13 Sep '16, 16:17) cmaynard ♦♦

To be clear, the port ranges are all destination ports.

There is yet another set of modifiers, src and dst, which may be used for various types of addresses. So changing udp port[range] to udp dst port[range] should solve your issue.

(14 Sep '16, 01:45) sindy

I don't see how specifying dst is going to help. Without that specifier, the filter will match either the source or destination port[range].

I would guess that there's some other encapsulation going on for those packets, such as Q-in-Q, but rather than guess, I figured I'd ask for a capture file.

(14 Sep '16, 05:21) cmaynard ♦♦
showing 5 of 6 show 1 more comments