tcpdump: capture one of several vlans
Solution 1
I remembered that you can examine the packet bytes directly. So looking directly into the ethernet header works:
tcpdump -vv -i eth1 '( vlan and ( ether[14:2] & 0xfff == 1000 or ether[14:2] & 0xfff == 501 ) ) and ( ip host 10.1.1.98 or ip host 10.1.1.99 )'
Don't forget the :2, this is a 2 byte field -- I got stuck on this for a while.
Solution 2
It can be done in more simply way than using deep packet exam, just use grep:
tcpdump -n -i eth1 -e | grep "vlan 1000"
-e: Print the link-level header on each dump line.
it will print lines like
ethertype 802.1Q (0x8100), length 60: vlan 1000, p 0, ethertype ARP
which can be easily catch by grep
If you want catch more than one VLAN ID you can use command like:
tcpdump -n -i eth1 -e | grep "vlan 1000\|vlan 501"
Related videos on Youtube
23 : 20
16 : 53
03 : 16
34 : 35
02 : 20
Amiram Korach
I get paid for deeply embedded bit bashing, for wrangling SIP and MGCP conversations, and meeting hard real-time deadlines in design and code. I post regularly to my blog, The Daily Build.
Updated on September 17, 2022Comments
-
Amiram Korach almost 2 years
I want tcpdump to capture VLAN 1000 or VLAN 501.
man pcap-filtersays:The vlan [vlan_id] expression may be used more than once, to filter on VLAN hierarchies. Each use of that expression increments the filter offsets by 4.
When I do:
tcpdump -vv -i eth1 \( vlan 1000 \) and \( ip host 10.1.1.98 or ip host 10.1.1.99 \)I get captured packets.
But when I do:
tcpdump -vv -i eth1 \( vlan 1000 or vlan 501 \) and \( ip host 10.1.1.98 or ip host 10.1.1.99 \)I don't get any packets -- I presume because of the "increment by 4" behavior described in the man page.
How can I capture traffic on more than one VLAN at a time?
-
Castaglia about 8 yearsPlease don't post link-only answers. They are low-quality, because links can change/go stale. It's best to include the necessary details directly in your post, and provide the link only for reference.