Revision history [back]

I'm doing some captures an an Interface and Writing it to Files. In this interface I'm receiving two expected Vlans (2010, and 2020)...

But I saw some hosts in the network sending QinQ vlans... I dicovered it whent I did a: tshark -r capture.pcap -Y "vlan.id == 2010"-o 'gui.column.format:"Mac-Source","%uhs","Vlan","%Cus:vlan.id"' Then i saw some packets, with other vlan tags then 2010: xx:xx:xx:13:ed:c0 2010,446 xx:xx:xx:13:ed:c0 2010,446 xx:xx:xx:13:ed:c0 2010,1037 xx:xx:xx:13:ed:c0 2010,1037

And I want to create an expression to display-filter that only shows the packets with more then one Vlan Tags.

I shure that only packest with first Vlan tags with 2010 and 2020 will come, but I cant precise any vlan ID that will appear on second vlan tag.

Does anybody have any suggestion?

I'm doing some captures an an Interface and Writing it to Files. In this interface I'm receiving two expected Vlans (2010, and 2020)...

But I saw some hosts in the network sending QinQ vlans... I dicovered it whent I did a: tshark -r capture.pcap -Y "vlan.id == 2010"-o 'gui.column.format:"Mac-Source","%uhs","Vlan","%Cus:vlan.id"' Then i saw some packets, with other vlan tags then 2010: 2010:

• xx:xx:xx:13:ed:c0 2010,446 2010,446
• xx:xx:xx:13:ed:c0 2010,446 xx:xx:xx:13:ed:c0 2010,1037 2010,446
• xx:xx:xx:13:ed:c0 2010,1037

• xx:xx:xx:13:ed:c0 2010,1037

And I want to create an expression to display-filter that only shows the packets with more then one Vlan Tags.

I shure that only packest with first Vlan tags with 2010 and 2020 will come, but I cant precise any vlan ID that will appear on second vlan tag.

Does anybody have any suggestion?