Home / server / Questions / 196250
Accepted
bstpierre
Asked: 2010-10-30 08:31:26 +0800 CST

tcpdump: capture one of several vlans

  • 772

I want tcpdump to capture VLAN 1000 or VLAN 501. man pcap-filter says:

The vlan [vlan_id] expression may be used more than once, to filter on VLAN hierarchies. Each use of that expression increments the filter offsets by 4.

When I do:

tcpdump -vv -i eth1 \( vlan 1000 \) and \( ip host 10.1.1.98 or ip host 10.1.1.99 \)

I get captured packets.

But when I do:

tcpdump -vv -i eth1 \( vlan 1000 or vlan 501 \) and \( ip host 10.1.1.98 or ip host 10.1.1.99 \)

I don't get any packets -- I presume because of the "increment by 4" behavior described in the man page.

How can I capture traffic on more than one VLAN at a time?

vlan tcpdump packet-capture sniffing

3 Answers

  1. Best Answer

    I remembered that you can examine the packet bytes directly. So looking directly into the ethernet header works:

    tcpdump -vv -i eth1 '( vlan and ( ether[14:2] & 0xfff == 1000 or ether[14:2] & 0xfff == 501 ) ) and ( ip host 10.1.1.98 or ip host 10.1.1.99 )'

    Don't forget the :2, this is a 2 byte field -- I got stuck on this for a while.

    • 16

  2. It can be done in more simply way than using deep packet exam, just use grep: 

    tcpdump -n -i eth1 -e | grep "vlan 1000"

    -e: Print the link-level header on each dump line.

    it will print lines like

    ethertype 802.1Q (0x8100), length 60: vlan 1000, p 0, ethertype ARP

    which can be easily catch by grep

    If you want catch more than one VLAN ID you can use command like:

    tcpdump -n -i eth1 -e | grep "vlan 1000\|vlan 501"
    • 9
    • 0