Wireshark-users: Re: [Wireshark-users] filter out PVST packets?
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 27 Oct 2011 22:51:06 -0700
On Oct 26, 2011, at 10:00 AM, Dave Sparks wrote:

> Any pointers on how to filter out PVST packets?
> 
> # tshark -i vlan701 not stp
> Capturing on vlan701
>  0.000000 Cisco_6a:50:13 -> PVST+        STP RST. Root = 0/1/00:12:f2:94:dc:00  Cost = 7  Port = 0x8013
>  2.013488 Cisco_6a:50:13 -> PVST+        STP RST. Root = 0/1/00:12:f2:94:dc:00  Cost = 7  Port = 0x8013
>  4.026868 Cisco_6a:50:13 -> PVST+        STP RST. Root = 0/1/00:12:f2:94:dc:00  Cost = 7  Port = 0x8013
>  6.039309 Cisco_6a:50:13 -> PVST+        STP RST. Root = 0/1/00:12:f2:94:dc:00  Cost = 7  Port = 0x8013

PVSTP+ does *NOT* use the standard Ethernet type or LLC SAP for STP; instead, it uses SNAP and an OUI of 00:00:0C and a protocol ID of 0x010b.  Unfortunately, there's no simple primitive to check for SNAP+{OUI}+{Protocol ID}.  The way you way you do that is dependent on the link layer type; for Ethernet I think it'd be

	ether[12:2] <= 1500 and ether[14:4] == 0xaaaa0300 and ether[18:4] == 0x000c0010b