 | 1 | initial version |
Ubunutu 14.04.1, libpcap v 1.5.3
Linux has a long history of "helpfully" removing VLAN tags from packets supplied to the capture mechanism used by libpcap (PF_PACKET sockets).
libpcap has had to work around this "help" in a number of places. Dating back to libpcap 1.0.0, it's reconstructed the original packet by using VLAN tag information provided by the kernel; however, that doesn't handle packet filtering, which is done in the kernel after the VLAN tags were removed and before the packet is handed up to libpcap.
There are several closed-by-pulling-them-into-libpcap pull requests to fix the handling of VLAN tags in kernel filtering in Linux (issue #362 in that list is the only one that isn't related to that, although #686, #704, and #708 are code cleanups of the fixes rather than being fixes themselves, and some are earlier fix attempts abandoned in favor of later fixes). #391 was the first of the fixes; it first appeared in libpcap 1.7.2.
So you're going to need a bigger boat^W^W^W newer version of libpcap; 1.5.3 can't handle filtering of VLAN packets on Linux in live captures.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
