tcpdump - shows VLAN tag, but filtering doesn't work?
14,853
Probably your tcpdump version is too old, this should work starting from tcpdump 4.9.2 / libcap 1.5.3.
tcpdump -i em2 -n -e '(vlan 2002)'
works with these versions on a RHEL 7 system (loads of stuff output ...)
Related videos on Youtube
09 : 59
How to Create a VLAN - A Beginner's Guide // OpenWrt Router
07 : 11
IEEE 802 1Q: Tagging and Trunking 101
01 : 13 : 15
OSINT: You can't hide // Your privacy is dead // Best resources to get started
07 : 41
Wireshark 101: Fixing Network Problems with Wireshark, HakTip 134
16 : 43
Cisco IOS Embedded Packet Capture - Example/How To
25 : 48
Bridge VLAN Filtering in MikroTik
27 : 39
Citrix ADC GUI Diagnostic Tools Overview
24 : 39
##F5##BIG-IP#Wireshark Packet Capture on F5#Practically Explained# Must Watch Video till end#TCPDUMP
Author by
SofaKng
Updated on September 18, 2022Comments
-
SofaKng almost 2 years
I'm running tcpdump on a mirrored port and when I use a simple tcpdump command it shows the VLAN id:
tcpdump -i eth1 -n -e 22:02:53.308715 78:31:c1:c6:c8:9e (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 114: vlan 10, p 0, ethertype IPv4, redacted-MBP.home.redacted.net.netbios-ns > 192.168.10.255.netbios-ns: NBT UDP PACKET(137): REFRESH(8); REQUEST; BROADCASTHowever, if I try to filter on the vlan 10 id then it doesn't show any packets:
tcpdump -i eth1 -n -e '(vlan 10)'What am I doing wrong?
-
Mekong almost 8 yearsI tested on Fedora 23, tcpdump --version tcpdump version 4.7.4 libpcap version 1.7.4 It works. What is your distro, tcpdump version?
-
Jeremy Dover almost 8 yearsSupport for shortcuts in BPF syntax is spotty across versions; for example I have tcpdump 4.1 and libpcap 1.4.0, and the 'vlan' shortcut does not work. It isn't pretty, but this BPF will work forvlan 10:ether[12:2] = 0x8100 and ether[15] = 10
-
