Tshark capture filter using VLAN ID
Hi All,
Is the following one a valid capture filter for VLAN 2001 traffic on interfaces ens5 and ens6 of a VM in Openstack?
tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng
Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. This one tells me it should be working fine: https://www.wireshark.org/lists/wireshark-users/201003/msg00036.html
It works perfectly well with tshark vlan 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng
but sadly I cannot use it as I need to trace a particular set of VLANs that cannot be specified in a single vlan option (and using it more than once is hierarchical afaik).
Here's my tshark version info:
[root@sniffer centos]# tshark -v
TShark 1.10.14 (Git Rev Unknown from unknown)
Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.54.2, with libpcap, with libz 1.2.7, with POSIX
capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with
Lua 5.1, without Python, with GnuTLS 3.3.26, with Gcrypt 1.5.3, with MIT
Kerberos, without GeoIP.
Running on Linux 3.10.0-862.14.4.el7.x86_64, with locale en_US.UTF-8, with
libpcap version 1.5.3, with libz 1.2.7.
Intel Xeon Processor (Skylake, IBRS)
Built using gcc 4.8.5 20150623 (Red Hat 4.8.5-36).
[root@sniffer centos]#
Many thanks in advance!