Ask Your Question
1

Tshark capture filter using VLAN ID

asked 2019-04-11 07:23:22 +0000

dandreye gravatar image

updated 2019-04-11 14:00:00 +0000

grahamb gravatar image

Hi All,

Is the following one a valid capture filter for VLAN 2001 traffic on interfaces ens5 and ens6 of a VM in Openstack?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. This one tells me it should be working fine: https://www.wireshark.org/lists/wireshark-users/201003/msg00036.html

It works perfectly well with tshark vlan 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng but sadly I cannot use it as I need to trace a particular set of VLANs that cannot be specified in a single vlan option (and using it more than once is hierarchical afaik).

Here's my tshark version info:

[root@sniffer centos]# tshark -v
TShark 1.10.14 (Git Rev Unknown from unknown)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.

This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.54.2, with libpcap, with libz 1.2.7, with POSIX
capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with
Lua 5.1, without Python, with GnuTLS 3.3.26, with Gcrypt 1.5.3, with MIT
Kerberos, without GeoIP.

Running on Linux 3.10.0-862.14.4.el7.x86_64, with locale en_US.UTF-8, with
libpcap version 1.5.3, with libz 1.2.7.

Intel Xeon Processor (Skylake, IBRS)

Built using gcc 4.8.5 20150623 (Red Hat 4.8.5-36).
[root@sniffer centos]#

Many thanks in advance!

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-04-11 19:23:39 +0000

Guy Harris gravatar image

Is the following one a valid capture filter for VLAN 2001 traffic

It's valid, but vlan and ether[14:2]&0x0fff=2001 is exactly the same as vlan 2001 ("exactly" as in "generates exactly the same BPF machine code"), at least with recent versions of libpcap.

vlan and (ether[14:2]&0x0fff=2001 or ether[14:2]&0x0fff=2002) will test for VLANs 2001 or 2002.

edit flag offensive delete link more

Comments

I was also expecting "vlan and ether[14:2]&0x0fff=2001" to be equivalent to "vlan 2001" but comment #5 in the following thread tells me it may no longer be the case? (the thread implies Ubuntu though: not sure if it's equally applicable to CentOS 7 I'm using) "The kernel no longer passes vlan tag information as-is to libpcap, instead BPF needs to access ancillary data." https://bugs.launchpad.net/ubuntu/+so... If so we would need more flexibility with the "vlan" option (effectively the only option left now) to be able to select several VLANs I suppose.

dandreye gravatar imagedandreye ( 2019-04-11 22:15:38 +0000 )edit

If you're doing a live capture on Linux, they wouldn't be equivalent. If you're doing a live capture on any other OS (or if you're using the filter when reading a capture file on programs that, like tcpdump, don't have their own filtering mechanism, but use libpcap's), they will be equivalent.

I should probably try to make vlan 2001 or 2002 work like, for example, src host 127.0.0.1 or 127.0.0.2.

Guy Harris gravatar imageGuy Harris ( 2019-04-11 22:21:41 +0000 )edit

Yes it's a live capture on CentOS 7 indeed. A way of making successive "vlan xyz" statements work in a normal i.e. non-hierarchical fashion would really help; meanwhile allowing (if possible) VLAN ranges e.g. "vlan 2001-2006,1506-1507, 1552-1553, 2025-2026" would be ideal.

dandreye gravatar imagedandreye ( 2019-04-11 23:13:21 +0000 )edit

Guy Harris: Assuming that specifying multiple VLAN IDs and ideally also allowing VLAN ranges with a single vlan option in a capture filter can be implemented at all shall I raise an enhancement request on it? If that cannot be implemented would it be possible to implement it at least in a Wireshark display filter? Many thanks in anticipation...

dandreye gravatar imagedandreye ( 2019-04-18 03:46:05 +0000 )edit

Assuming that specifying multiple VLAN IDs and ideally also allowing VLAN ranges with a single vlan option in a capture filter can be implemented at all

It probably can be implemented, but it involves some significant changes to the grammar file for capture filters, to make it work similarly to, for example, host and port.

shall I raise an enhancement request on it?

Yes, but NOT on the Wireshark bugzilla, as it's NOT a Wireshark feature, it's a libpcap feature, so you'd file it as an issue on the libpcap issue list on GitHub.

If that cannot be implemented would it be possible to implement it at least in a Wireshark display filter?

vlan.id == 2001 or vlan.id == 2002 - capture and display filters are implemented VERY differently, so you don't have the "VLAN filters have a side effect that changes the way subsequent filter terms ...(more)

Guy Harris gravatar imageGuy Harris ( 2019-04-18 04:24:40 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-04-11 07:23:22 +0000

Seen: 7,010 times

Last updated: Apr 11 '19

Related questions

How do I rewrite the Ethernet II protocol type to 0x8100?

capture vlan ID

Identify QinQ (Vlan in Vlan) Without Knowing 2nd vlan

How to dissect a VLAN frame based on Ethertype

vlan capture filter ineffective

VLAN capturing with EthUSB adapter

How to capture VLAN tagged packets

Capture filter for vlan tagged packets and non vlan tagged packets of specific ethertype

view vlan tagging with Win10pcap, not npcap - a good idea?

Using a vlans file in profile