identifying vlan packets using tcpdump

networking vlan tcpdump
9,801

If your host is connected to an access port, the switch will likely strip the VLAN tag off before it reaches your host. As a result, running TCPDump on the host in question will never see the VLAN tags.

You would need to setup a SPAN port and/or introduce a network tap into your network somewhere to grab traffic before the tags are dropped off the packets in order to see them in a network dump/trace.

Share:
9,801
madCode
Author by

madCode

Just a random...person.

Updated on September 18, 2022

Comments

  • madCode
    madCode almost 2 years

    I'm trying to figure out the vlan tagged packets that my host receives or sends to other hosts. I tried

    tcpdump -i eth1 vlan 0x0070

    But it didnt work. Has anyone tried to view the vlan packets through tcpdump before? Couldn't find much help searching the web!

    • Michael Hampton
      Michael Hampton over 10 years
      Are values in hex allowed? The man page doesn't say anything about it. Try it in decimal. vlan 112
    • Will Dixon
      Will Dixon over 10 years
      Are you expecting it to be sending VLAN tagged traffic? Is it connected to a trunk port on the switch?
    • madCode
      madCode over 10 years
      No, I expect it to listen on eth1 for vland tagged traffic.
    • Veniamin
      Veniamin over 10 years
      Not sure you will find It there. Try -i eth1.112 instead.
  • Denys
    Denys over 10 years
    Note that "vlan" increases the filter start offset by four bytes. Combining it with other primitives, e.g. "vlan or ip host 10.11.1.2" may not do what you expect.
  • YLearn
    YLearn over 10 years
    To be accurate, a switch does not strip VLAN tags off a frame before sending it out an access port, it only adds VLAN tagging to frames before it sends them out a trunk/tagged port (and they are removed once received by the switch on the other side).
  • Rex
    Rex over 10 years
    This still would not see vlan tags unless the port he is connects to is tagging the traffic.
  • nandoP
    nandoP over 10 years
    @Rex, thats right, the other side of ethernet cable must be conf'ed as, what cisco calls, "switchport mode trunk" or vendor equivelent
  • pabouk - Ukraine stay strong
    pabouk - Ukraine stay strong over 5 years
    tcpdump is suited for L2 - L4 and also application layer of some protocols. tcpdump -e shows more information from the Ethernet header including VLAN tags.
  • 0xC0000022L
    0xC0000022L about 4 years
    And still tshark the WireShark CLI frontend is way more powerful than tcpdump methinks.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

TCP Server sends [ACK] followed by [PSH,ACK]
Stripping payload from a tcpdump?
VLAN over Wirless MikroTik SXT
VLAN setup on my PC
Is it possible to carry IPTV (VLAN) over wireless bridge?
VLAN Configuration for Home Network
Using a VLAN to isolate a device from network broadcasts
how to test a VLAN set up under OS X Mavericks
How can I ping successfully from an vlan interface on Linux?
Using the Ping command with VLAN IP's