Ask Your Question
0

Identify QinQ (Vlan in Vlan) Without Knowing 2nd vlan

asked 2018-04-29 18:03:00 +0000

fischerdouglas gravatar image

updated 2018-04-29 18:06:07 +0000

I'm doing some captures an an Interface and Writing it to Files. In this interface I'm receiving two expected Vlans (2010, and 2020)...

But I saw some hosts in the network sending QinQ vlans... I dicovered it whent I did a: tshark -r capture.pcap -Y "vlan.id == 2010"-o 'gui.column.format:"Mac-Source","%uhs","Vlan","%Cus:vlan.id"' Then i saw some packets, with other vlan tags then 2010:

  • xx:xx:xx:13:ed:c0 2010,446
  • xx:xx:xx:13:ed:c0 2010,446
  • xx:xx:xx:13:ed:c0 2010,1037
  • xx:xx:xx:13:ed:c0 2010,1037

And I want to create an expression to display-filter that only shows the packets with more then one Vlan Tags.

I shure that only packest with first Vlan tags with 2010 and 2020 will come, but I cant precise any vlan ID that will appear on second vlan tag.

Does anybody have any suggestion?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2018-04-29 18:34:27 +0000

fischerdouglas gravatar image

I Discovered how to do this filter!

Here is and example! tshark -r capture.pcap -Y "(vlan.id == 2010 and vlan.id != 2010) or (vlan.id == 2020 and vlan.id != 2020)"-o 'gui.column.format:"Mac-Source","%uhs","Vlan","%Cus:vlan.id"'

edit flag offensive delete link more

Comments

In case this confuses anybody:

"vlan.id == XXX and vlan.id != XXX", where the two "XXX"s are the same, is a reasonable filter, as it doesn't mean "vlan.id is simultaneously equal to XXX and not equal to XXX", it means "the packet has an instance of vlan.id that is equal to XXX and also has an instance of vlan.id that is not equal to XXX".

That filter willl match any frame that has two VLAN tags, one of which is either 2010 or 2020, and the other of which different from the other one. Frames with only one VLAN tag won't be matched. (It also won't match frames with two identical VLAN tags.)

Guy Harris gravatar imageGuy Harris ( 2018-04-29 19:52:43 +0000 )edit

That Correct!

A friend mentioned about this possibility of some bad guy using a second tag exactly with the same tag of the first Vlan. I wouldnt se those packets...

Well, until now, is the best i can find...

Accepting suggestions.

fischerdouglas gravatar imagefischerdouglas ( 2018-04-29 20:31:45 +0000 )edit

Except that that need not be a bad guy (there is nothing bad about having the VLAN IDs in the "inner" and "outer" tags the same), it is a valid point. The display filter matching only packets with more than one VLAN tag is the following:

vlan.etype == 0x8100

I.e. if the payload indicator of a VLAN header (vlan.etype) is "802.1Q Virtual LAN" (0x8100), there must be at least two VLAN headers.

On top of 0x8100, there is also a "service VLAN" ethertype 0x88a8, but that one should always be used in the Ethernet header, so the above filter should normally be sufficient.

sindy gravatar imagesindy ( 2018-04-30 19:14:35 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-04-29 18:03:00 +0000

Seen: 69 times

Last updated: Apr 29