identifying vlan packets using tcpdump
9,801
If your host is connected to an access port, the switch will likely strip the VLAN tag off before it reaches your host. As a result, running TCPDump on the host in question will never see the VLAN tags.
You would need to setup a SPAN port and/or introduce a network tap into your network somewhere to grab traffic before the tags are dropped off the packets in order to see them in a network dump/trace.
Comments
-
madCode almost 2 years
I'm trying to figure out the vlan tagged packets that my host receives or sends to other hosts. I tried
tcpdump -i eth1 vlan 0x0070
But it didnt work. Has anyone tried to view the vlan packets through tcpdump before? Couldn't find much help searching the web!
-
Michael Hampton over 10 yearsAre values in hex allowed? The man page doesn't say anything about it. Try it in decimal.
vlan 112
-
Will Dixon over 10 yearsAre you expecting it to be sending VLAN tagged traffic? Is it connected to a trunk port on the switch?
-
madCode over 10 yearsNo, I expect it to listen on eth1 for vland tagged traffic.
-
Veniamin over 10 yearsNot sure you will find It there. Try -i eth1.112 instead.
-
-
Denys over 10 yearsNote that "vlan" increases the filter start offset by four bytes. Combining it with other primitives, e.g. "vlan or ip host 10.11.1.2" may not do what you expect.
-
YLearn over 10 yearsTo be accurate, a switch does not strip VLAN tags off a frame before sending it out an access port, it only adds VLAN tagging to frames before it sends them out a trunk/tagged port (and they are removed once received by the switch on the other side).
-
Rex over 10 yearsThis still would not see vlan tags unless the port he is connects to is tagging the traffic.
-
nandoP over 10 years@Rex, thats right, the other side of ethernet cable must be conf'ed as, what cisco calls, "switchport mode trunk" or vendor equivelent
-
pabouk - Ukraine stay strong over 5 years
tcpdump
is suited for L2 - L4 and also application layer of some protocols.tcpdump -e
shows more information from the Ethernet header including VLAN tags. -
0xC0000022L about 4 yearsAnd still
tshark
the WireShark CLI frontend is way more powerful thantcpdump
methinks.