Ask Your Question
0

Capture filter for VNTAG packets

asked 2023-09-07 15:19:20 +0000

gary_li gravatar image

Hello,

Does anyone have a solution to filter VNTAG packets in capture (not read filter)? Because of the VNTAG insertion before the IP header, the "host" capture filter no longer works.

Thanks, Gary

edit retag flag offensive close merge delete

Comments

Can you post an example capture on a public file share to experiment with?

SYN-bit gravatar imageSYN-bit ( 2023-09-07 15:48:03 +0000 )edit

Sample capture attached to 7496: Cant parse VNTAGGED frames correctly (opcode 8926) with additional Vlan 802.1Q inside

Dissector - packet-vntag.c

Similar question: PCAP Filter with VN-Tag Present

Chuckc gravatar imageChuckc ( 2023-09-07 16:49:06 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2023-09-10 18:07:05 +0000

André gravatar image

A BPF (capture) filter can be used to check for a value on a fixed position in the packet.
For example:

tcpdump -r VNTagged_and_tagged_traffic.pcap "link[14:4] = 0 && link[18:2] = 0x8100"

In this example the VNTAG contains the 6 bytes 00 00 00 00 81 00 (after the ethernet header).

For a host (IP) address on an unrecognized position you can do the same. Something like link[36:4] = 0x01010101 || link[40:4] = 0x01010101.

edit flag offensive delete link more

Comments

We've used similar filter "ether[36:4]" but the fact that you have to convert an IP to hex value makes it very inconvenient to use. I was hoping that the host filter is smart enough to do the detection and conversion with vn-tag present.

gary_li gravatar imagegary_li ( 2023-09-21 15:00:17 +0000 )edit

There is simply no filter for VNTAG, the complete list can be found here: https://www.tcpdump.org/manpages/pcap...

But if you like decimal, you can also check byte-by-byte link[36] = 1 && link[37] = 1 && link[38] = 1 && link[39] = 1 etc.. Or weirder, treat the 4 bytes as 1 decimal number link[36:4] = 16843009.

André gravatar imageAndré ( 2023-09-22 20:23:01 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-09-07 15:19:20 +0000

Seen: 111 times

Last updated: Sep 10 '23