 | 1 | initial version |
Adding the -e option to the tcpdump command to display link level headers may reveal the presence of 'ethertype 802.1Q (0x8100)' or some other additional headers. If there are additional headers then you will need to modify your pcap_filter expression.
For example if there are 802.1Q headers then modify the pcap_filter from 'port 2152' to 'vlan and port 2152'.
If the capture includes both packets with and without 802.1Q headers a more complex pcap_filter might be needed such as 'port 2152 or vlan and port 2152'.
Review the pcap_filter(7) man page for more details on how the vlan|mpls|pppoes|geneve keywords changes the decoding offsets for the remainder of expression.
