Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Ubunutu 14.04.1, libpcap v 1.5.3

Linux has a long history of "helpfully" removing VLAN tags from packets supplied to the capture mechanism used by libpcap (PF_PACKET sockets).

libpcap has had to work around this "help" in a number of places. Dating back to libpcap 1.0.0, it's reconstructed the original packet by using VLAN tag information provided by the kernel; however, that doesn't handle packet filtering, which is done in the kernel after the VLAN tags were removed and before the packet is handed up to libpcap.

There are several closed-by-pulling-them-into-libpcap pull requests to fix the handling of VLAN tags in kernel filtering in Linux (issue #362 in that list is the only one that isn't related to that, although #686, #704, and #708 are code cleanups of the fixes rather than being fixes themselves, and some are earlier fix attempts abandoned in favor of later fixes). #391 was the first of the fixes; it first appeared in libpcap 1.7.2.

So you're going to need a bigger boat^W^W^W newer version of libpcap; 1.5.3 can't handle filtering of VLAN packets on Linux in live captures.