Wireshark-users: Re: [Wireshark-users] Capture filter with multiple VLANs
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Thu, 1 Aug 2019 07:24:03 +0200
Hi,

For this you have to go lower in the stack and access the packet bytes directly.

Have a look at proto [ expr : size ], where proto is ether. Now you can access the bytes in the ethernet frame directly.
So start looking for 8100 as the ethertype, then extend the _expression_ to make comparisons for the VID field in the VLAN header.

Hope it helps.
Jaap


On 1 Aug 2019, at 00:40, Todd Adamson <tadamson@xxxxxxxxxxx> wrote:

Is it possible to create a capture filter to deal with multiple vlans?  What I would like to do is:

not (vlan 20 or vlan 30)
or
not vlan 20 and not vlan 30

So far, from what I've read, only the first vlan element is used in the filter.

Ideas?

Thanks.

Todd