This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter for IP address in PPP-over-double-tagged-Ethernet traffic

0

OK, I give up--been bangin' my head against this one for awhile now. I know how it SHOULD work, but something's wrong. I am sniffing a trunk carrying double-tagged traffic on a distribution switch with massive amounts of data, so I don't have the liberty of capturing all packets and then doing a display filter. I need to capture a single IP address (using the WS GUI, not TShark), so I enter "host 1.2.3.4" without the quotes, for example. But this captures zero packets. If I capture all the traffic and then display filter it for 1.2.3.4, it appears in numerous packets, so I know the IP is correct.

If I enter the MAC address associated with the IP in the capture filter: "ether host ab:cd:ef:12:34:56" it works perfectly. I read where this could possibly be due to encapsulation, so I've tried "ip and host 1.2.3.4" I have also tried "ppp and host 1.2.3.4" I have also tried "pppoe and host 1.2.3.4" I have also tried "pppoes and host 1.2.3.4"

Nothing's working so far. Anyone have a suggestion? Thanks!

asked 18 Feb '14, 15:42

randyp's gravatar image

randyp
16225
accept rate: 0%

edited 19 Feb '14, 15:18

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Is it possible to post a small sample capture file (just a few frames, taken without capture filter) with the double vlan tags on google drive, dropbox, cloudshark.org?

(19 Feb '14, 10:18) Kurt Knochner ♦

Kurt, I did a raw capture with no filters, which captured all packets on the trunk (VLAN 873:1032 only on this pipe), then display-filtered it down to a single IP so it ended up with about 300 packets. Uploaded to CloudShark as VLAN873-1032-withSingleIP. Thanks for taking a look!

(19 Feb '14, 12:29) randyp

The link is missing.

(19 Feb '14, 13:14) Kurt Knochner ♦
(19 Feb '14, 13:46) randyp

One Answer:

3

I am sniffing a trunk carrying double-tagged traffic

Then you need to be careful with capture filters.

If you want to capture traffic to 1.2.3.4 in traffic with no tags, the correct filter is host 1.2.3.4.

If you want to capture traffic to 1.2.3.4 in traffic with one level of VLAN tagging, the correct filter is vlan and host 1.2.3.4 - and bear in mind that any IP-layer or above filter operations after vlan and will look only at packets with one layer of tagging.

If you want to capture traffic to 1.2.3.4 in traffic with two levels of VLAN tagging, the correct filter is vlan and vlan and host 1.2.3.4 - and bear in mind that any IP-layer or above filter operations after vlan and will look only at packets with two layers of tagging.

(Bear in mind that vlan checks either for 0x8100 or 0x9100 as an Ethernet type, so vlan will match either of those and vlan and vlan will match 0x8100+0x8100, 0x8100+0x9100, 0x9100+0x8100, or 0x9100+0x9100.)

answered 18 Feb '14, 16:00

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

What you suggested makes sense, but unfortunately, it didn't work either. I am going to try the same idea with a different NIC card that understands double-tags. I'll let you know how that works. And thanks for the response!

(19 Feb '14, 07:06) randyp
1

your frames are doubled tagged, but also 'encapsulated' in PPPoE. That's the reason why the capture filter does not work, because the IP header is at a different location, if you encapsulate the frames in PPPoE.

In this case the capture filter would be: vlan and vlan and pppoes and host x.x.x.x

(19 Feb '14, 13:57) Kurt Knochner ♦

Thanks for the help, guys, that worked! Here's what I found, though:

Using a NIC card that is not capable of tagging VLANs, I had to use "vlan and pppoes and host 1.2.3.4" This would only show the inner tag of the double-tagged frame in my VLAN column.

If I use a NIC card that is capable of tagging, I had to use "vlan and vlan and pppoes and host 1.2.3.4" This would show both the inner and outer tags in the two VLAN columns I have set up in WS.

Thanks again! I will click the "Credit" button for you!

(21 Feb '14, 09:16) randyp