This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

display filter for multi-tagged packets (vlan/mpls)?

as far as i can see there is no way to distinguish multiple vlan (and mpls) tags with a display filter. e.g. in a double-tagged frame both vlan-ids are named "vlan.id" and i can not set a specific filter for the second tag. is there a way to do this, like "vlan[2].id" maybe? i know i can use something like "frame[18:04]==00:78:81:00" but if i want to check if the cfi-bit in the second tag is set i have to use "frame[18]&0x16" instead of something more readable like "vlan[2].cfi == 1".

diplay-filter mpls vlan

asked 03 Dec '12, 08:14

scathaig
1●1●1●1
accept rate: 0%

One Answer:

Take a look at the answer of SYN-bit for the following question:

http://ask.wireshark.org/questions/16140/wireshark-capture-displays-inner-ip-when-traffic-is-ipinip

I have not tried it, but the same should work for a VLAN tag. That's not a display filter as you need it, but at least you can view the various tags in tshark and then filter the output with other tools (grep, etc.).

Another option would (possibly) be a display filter macro:

http://www.wireshark.org/docs/wsug_html_chunked/ChDisplayFilterMacrosSection.html?

Define your macro like this:

vlan2_cfi_set -> (frame[18]&0x16)

then use the macro in a display filter:

ip.addr eq 1.2.3.4 and ${vlan2_cfi_set}

Regards
Kurt

answered 03 Dec '12, 08:35

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 03 Dec '12, 09:19