 | 1 | initial version |
A BPF (capture) filter can be used to check for a value on a fixed position in the packet.
For example:
tcpdump -r VNTagged_and_tagged_traffic.pcap "link[14:4] = 0 && link[18:2] = 0x8100"
In this example the VNTAG contains the 6 bytes 00 00 00 00 81 00 (after the ethernet header).
For a host (IP) address on an unrecognized position you can do the same. Something like link[36:4] = 0x01010101 || link[40:4] = 0x01010101.