I've been trying to sniff a trunk running multiple VLANs with DumpCap, and would like to filter out all VLAN traffic except the VoIP VLAN, which is VLAN 11. I have tried using the filter qualifier such as -f vlan 11 or -f "vlan 11" or -f vlan:11 None of these permutations have worked. Anyone out there had any success with using a VLAN capture filter? If so, can you elaborate? Here is my full command-line: dumpcap -i 2 -b files:144 -b duration:600 -f "vlan 11" -w dumptest.pcap Thanks! asked 17 Jan '14, 08:58  randyp |
One Answer:
Finally figured this one out for myself. tshark -i1 -c 5000 -f "vlan 11" -w filname.pcapng This syntax works just fine with the -f filter; problem was that my company laptop was running Symantec Endpoint Protection in the background. Once I turned it off, the VLANs showed up! I was having the same issue trying to do a capture filter for certain TCP or UDP ports--that also works fine now. dumpcap -i1 -c 5000 -f "tcp port 443" -w filename.pcapng answered 27 Jan '14, 10:56 randyp |
Are you actually capturing vlan-tagged frames? See the VLAN wiki page.
On which OS is this?
Running WinXP. VLAN tagged packets show up when I run it through the WireShark GUI--but I will doublecheck this. I see from the DumpCap website that anytime you use a filter that contains a space, you must enclose it with quotation marks--when I do this, it acts like it takes the command, but never captures anything. Problem is, for an extended capture and for the amount of traffic, I have to use DumpCap to keep it from locking up.