Wireshark · Wireshark-users: Re: [Wireshark-users] Filtering both vlan-tagged as untagged frames with an ip-filter

[Guy Harris <guy@xxxxxxxxxxxx>]

Sake Blok wrote:

> While analysing a problem today I discovered that I had missed packets in
> my session after capturing with a filter like "vlan and host x.x.x.x".
> After making a trace with no filter, I could see that packets in one
> direction were tagged, while they were not tagged in the other direction.
> Then I triesd a filter like "(vlan or not vlan) and host x.x.x.x", but
> that just doesn't work.
>
> Does anyone know how to capture both vlan-tagges frames and untagged
> frames with an ip-address filter?
>
> Might this be a WinPcap bug?

Does it count as a bug if it's documented to work that way? :-)

To quote the OS X 10.4.9 tcpdump man page (this isn't WinPcap-specific - 
it's common to all libpcap/WinPcap implementations):

     vlan [vlan_id]
             True  if  the  packet  is an IEEE 802.1Q VLAN packet.  If
             [vlan_id] is specified, only true is the packet  has  the
             specified  vlan_id.   Note  that  the  first vlan keyword
             encountered in expression changes  the  decoding  offsets
             for  the  remainder  of expression on the assumption that
             the packet is a VLAN packet.

As the second sentence says, "Note that the first vlan keyword 
encountered in expression changes the decoding offsets for the 
remainder of expression on the assumption that the packet is a VLAN 
packet."  The "vlan" in "vlan and host x.x.x.x" causes the "host 
x.x.x.x" to check for VLAN-encapsulated packets with an IPv4 address of 
x.x.x.x.

To check for both VLAN-encapsulated and non-VLAN-encapsulated packets 
with that IPv4 address, try

	host x.x.x.x or (vlan and host x.x.x.x)

(or use "ip host x.x.x.x" in both cases if you don't care about ARP 
packets).