Ethereal-users: Re: [Ethereal-users] Sniffing VLAN tagged packets with capture filter
On Fri, Apr 30, 2004 at 02:36:20PM -0500, PHIL ENTZ wrote:
> Now, I would think the capture filter "(vlan 2 and net 192.168.1.0) or (net
> 192.168.1.0)" should capture all the traffic to and from the network but it
> doesn't - I still see only the vlan tagged traffic.
>
> What am I missing
The following section from the tcpdump man page:
vlan [vlan_id]
True if the packet is an IEEE 802.1Q VLAN
packet. If [vlan_id] is specified, only
true is the packet has the specified
vlan_id. Note that the first vlan keyword
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
encountered in expression changes the decod-
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ing offsets for the remainder of expression
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
on the assumption that the packet is a VLAN
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
packet.
^^^^^^
At some point I might, for a number of reasons, redo the way the libpcap
expression compiler works; a side-effect of that might be that only the
clause covered by the "vlan and" will assume the packet is a VLAN
packet, so your expression would work in that case - but that's not how
it works now.
> and how would one construct a capture filter to accomplish my
> objective?
(net 192.168.1.0) or (vlan 2 and net 192.168.1.0)
should work.