Ask Your Question
1

Capture filter for vlan tagged packets and non vlan tagged packets of specific ethertype

asked 2019-04-18 16:23:13 +0000

skwear gravatar image

I am trying to capture traffic of ethertype 0x88b8. Some of them may be vlan tagged and some of them might not be, but the and and or operators are not behaving in the way I expect.

My first attempt was this:

(vlan and ether proto 0x88b8) or ether proto 0x88b8

I tested this capture filter on two separate laptops simultaneously, one of which receives the vlan tagged packets and other which receives the non-tagged packets.

In this case the one receiving the non-tagged packets received nothing.

I dug around and found on the pcap filter man-page and found this:

Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right.

So I though order mattered somehow. So after a bit of trial-and-error I settled on this:

ether proto 0x88b8 or (vlan and ether proto 0x88b8)

and this worked on both laptops.

Has my testing yielded the correct expression? Is it redundant in some way? Why are they different and why does the latter one work? Is there anything else I should be aware of?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-04-18 16:28:50 +0000

grahamb gravatar image

This is expected, the vlan expression adjusts subequent offsets. From the man page you mentioned:

Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a VLAN packet.
edit flag offensive delete link more

Comments

So the reason the second expression works is because I have the vlan keyword after the or? That makes a lot of sense. Thank you!

skwear gravatar imageskwear ( 2019-04-18 16:34:35 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-04-18 16:23:13 +0000

Seen: 79 times

Last updated: Apr 18