 | 1 | initial version |
For capturing multiple vlans, you can use a capture filter such as this:
ether proto 0x8100 and (((ether[14:2] & 0x0fff) = 70) or ((ether[14:2] & 0x0fff) = 90))
You can verify the resulting BPF code using dumpcap's the -d option, for example:
dumpcap -i eth0 -d -f "ether proto 0x8100 and (((ether[14:2] & 0x0fff) = 70) or ((ether[14:2] & 0x0fff) = 90))"
Capturing on 'eth0'
(000) ldh [12]
(001) jeq #0x8100 jt 2 jf 7
(002) ldh [14]
(003) and #0xfff
(004) jeq #0x46 jt 6 jf 5
(005) jeq #0x5a jt 6 jf 7
(006) ret #262144
(007) ret #0
If you want to capture all ICMP traffic, whether the ICMP traffic is VLAN-tagged or not, then you should be able to use a filter such as "icmp or (vlan and icmp)" Here's the sample BPF-generated code:
dumpcap -i eth0 -d -f "icmp or (vlan and icmp)"
Capturing on 'eth0'
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 4
(002) ldb [23]
(003) jeq #0x1 jt 10 jf 11
(004) jeq #0x8100 jt 6 jf 5
(005) jeq #0x9100 jt 6 jf 11
(006) ldh [16]
(007) jeq #0x800 jt 8 jf 11
(008) ldb [27]
(009) jeq #0x1 jt 10 jf 11
(010) ret #262144
(011) ret #0
If you want to exclude IP traffic, whether the IP traffic is VLAN-tagged or not, then you should be able to use a filter such as "not (ip or (vlan and ip))". Again, here's the sample BPF-generated code:
dumpcap -i eth0 -d -f "not (ip or (vlan and ip))"
Capturing on 'eth0'
(000) ldh [12]
(001) jeq #0x800 jt 6 jf 2
(002) jeq #0x8100 jt 4 jf 3
(003) jeq #0x9100 jt 4 jf 7
(004) ldh [16]
(005) jeq #0x800 jt 6 jf 7
(006) ret #0
(007) ret #262144
NOTE The -d output may vary a bit with respect to the VLAN TPIDs. Notice in the last 2 examples the additional check for 0x9100. On my Windows machine running dumpcap 2.6.2 with Winpcap 4.1.3, 0x9100 is not checked, but with dumpcap 1.12.13 and libpcap 1.4.0, it is checked. Modify your filter if needed or upgrade your version of dumpcap, libpcap, WinPcap or npcap as desired.
| | 2 | No.2 Revision |
For capturing multiple vlans, you can use a capture filter such as this:
ether proto 0x8100 and (((ether[14:2] & 0x0fff) = 70) or ((ether[14:2] & 0x0fff) = 90))
You can verify the resulting BPF code using dumpcap's the -d option, for example:
dumpcap -i eth0 -d -f "ether proto 0x8100 and (((ether[14:2] & 0x0fff) = 70) or ((ether[14:2] & 0x0fff) = 90))"
Capturing on 'eth0'
(000) ldh [12]
(001) jeq #0x8100 jt 2 jf 7
(002) ldh [14]
(003) and #0xfff
(004) jeq #0x46 jt 6 jf 5
(005) jeq #0x5a jt 6 jf 7
(006) ret #262144
(007) ret #0
If you want to capture all ICMP traffic, whether the ICMP traffic is VLAN-tagged or not, then you should be able to use a filter such as "icmp or (vlan and icmp)" Here's the sample BPF-generated BPF code:
dumpcap -i eth0 -d -f "icmp or (vlan and icmp)"
Capturing on 'eth0'
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 4
(002) ldb [23]
(003) jeq #0x1 jt 10 jf 11
(004) jeq #0x8100 jt 6 jf 5
(005) jeq #0x9100 jt 6 jf 11
(006) ldh [16]
(007) jeq #0x800 jt 8 jf 11
(008) ldb [27]
(009) jeq #0x1 jt 10 jf 11
(010) ret #262144
(011) ret #0
If you want to exclude IP traffic, whether the IP traffic is VLAN-tagged or not, then you should be able to use a filter such as "not (ip or (vlan and ip))". Again, here's the sample BPF-generated BPF code:
dumpcap -i eth0 -d -f "not (ip or (vlan and ip))"
Capturing on 'eth0'
(000) ldh [12]
(001) jeq #0x800 jt 6 jf 2
(002) jeq #0x8100 jt 4 jf 3
(003) jeq #0x9100 jt 4 jf 7
(004) ldh [16]
(005) jeq #0x800 jt 6 jf 7
(006) ret #0
(007) ret #262144
NOTE The -d output may vary a bit with respect to the VLAN TPIDs. Notice in the last 2 examples the additional check for 0x9100. On my Windows machine running dumpcap 2.6.2 with Winpcap 4.1.3, 0x9100 is not checked, but with dumpcap 1.12.13 and libpcap 1.4.0, it is checked. Modify your filter if needed or upgrade your version of dumpcap, libpcap, WinPcap or npcap as desired.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.