Vlan filter
I am capturing traffic from a trunk mirror. This trunk has over 30 VLANs and I would like to exclude some of them so I used:
tshark -i ens4f0 -f 'vlan and not (ether[14:2]&0x0fff = 100 or ether[14:2]&0x0fff = 200)' -b filesize:1000000 -a files:10 -w /capture/trunk0.pcap
However, the filter does exactly the opposite of what I want as it is capturing only VLANs 100 and 200. If I use:
tshark -i ens4f0 -f 'vlan and (ether[14:2]&0x0fff != 100 or ether[14:2]&0x0fff != 200)' -b filesize:1000000 -a files:10 -w /capture/trunk0.pcap
it happens the same...
What am I missing? How can I exclude some VLANs to be captured?
NJL, what I am doing is exactly what is suggested on the post. If I understood correctly, you can not capture two VLANs using "and", so you must use the expression I am using above. But as I said, I am getting the VLANs filtered but with the opposite of what I need as it will only capture 100 and 200 and exclude what I want to capture.
That last expression should be
..!= 100 and ether[...
@moacir: yeah I realized that after reading the article in detail, hence I deleted my original post. Apologies for not realizing it before I posted :-)
Jaap, I just tested your suggestion using 'vlan and (ether[14:2]&0x0fff != 100 and ether[14:2]&0x0fff != 200)', didn't work either. It capture exactly the opposite, meaning only VLAN 100 and VLAN 200.
You can verify BPF filters using
dumpcap
's-d
option. For example, on my Windows machine with WinPcap 4.1.3, I get:On my Linux machine with libpcap 1.4.0, I get a slightly different result for the same filter where either 0x8100 or 0x9100 is accepted as the TPID for an 802.1Q frame:
(more)I must confess that when it comes to dumpcap I am just a dummy. Anyway, I am using CentOS 7 and I did use dumpcap as you suggested and what I have is:
On the "real" environment I did (the ...(more)
Your
dumpcap
version is quite old but your libpcap version is newer than mine. (My Linux machine is running RHEL6). I honestly don't understand what these lines mean either:I think there is very likely a bug with your version of libpcap. Can you try to upgrade? From http://www.tcpdump.org/libpcap-changes.txt, I see the following, which might be relevant:
Look: yum list installed | grep libcap compat-libcap1.x8664 1.10-7.el7 @anaconda/7.4
libcap.x8664 2.22-9.el7 @anaconda/7.4
libcap-ng.i686 0.7.5-4.el7 @rhel-7-workstation-rpms libcap-ng.x86_64 0.7.5-4.el7 @anaconda/7.4
So I guess the libcap on my system is quite above 1.7.0 you mention. BTW, your link send us to 1.8.0, not to 1.7.0. I guess the confusion is that I installed wireshark from epel and that was the way they compiled dumpcap, using a old libpcap. I will probably need to uninstall it, download all sources and compile it on the machine. This will take quite long as this system can not have Internet access... Anyway, any other suggestion?