Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-07-05 08:13:02 +0000

moacir gravatar image

Vlan filter

I am capturing traffic from a trunk mirror. This trunk has over 30 VLANs and I would like to exclude some of them so I used:

tshark -i ens4f0 -f 'vlan and not (ether[14:2]&0x0fff = 100 or ether[14:2]&0x0fff = 200)' -b filesize:1000000 -a files:10 -w /capture/trunk0.pcap

However, the filter does exactly the opposite of what I want as it is capturing only VLANs 100 and 200. If I use:

tshark -i ens4f0 -f 'vlan and (ether[14:2]&0x0fff != 100 or ether[14:2]&0x0fff != 200)' -b filesize:1000000 -a files:10 -w /capture/trunk0.pcap it happens the same...

What am I missing? How can I exclude some VLANs to be captured?

click to hide/show revision 2
None

updated 2018-07-05 10:09:16 +0000

grahamb gravatar image

Vlan filter

I am capturing traffic from a trunk mirror. This trunk has over 30 VLANs and I would like to exclude some of them so I used:

tshark -i ens4f0 -f 'vlan and not **not** (ether[14:2]&0x0fff = 100 or ether[14:2]&0x0fff = 200)' -b filesize:1000000 -a files:10 -w /capture/trunk0.pcap
/capture/trunk0.pcap

However, the filter does exactly the opposite of what I want as it is capturing only VLANs 100 and 200. If I use:

tshark -i ens4f0 -f 'vlan and (ether[14:2]&0x0fff != **!=** 100 or ether[14:2]&0x0fff != **!=** 200)' -b filesize:1000000 -a files:10 -w /capture/trunk0.pcap it happens the same...
same...

What am I missing? How can I exclude some VLANs to be captured?

click to hide/show revision 3
None

updated 2018-07-05 10:10:06 +0000

grahamb gravatar image

Vlan filter

I am capturing traffic from a trunk mirror. This trunk has over 30 VLANs and I would like to exclude some of them so I used:

tshark -i ens4f0 -f 'vlan and **not** not (ether[14:2]&0x0fff = 100 or ether[14:2]&0x0fff = 200)' -b filesize:1000000 -a files:10 -w /capture/trunk0.pcap

However, the filter does exactly the opposite of what I want as it is capturing only VLANs 100 and 200. If I use:

tshark -i ens4f0 -f 'vlan and (ether[14:2]&0x0fff **!=** != 100 or ether[14:2]&0x0fff **!=** != 200)' -b filesize:1000000 -a files:10 -w /capture/trunk0.pcap it happens the same...

What am I missing? How can I exclude some VLANs to be captured?

click to hide/show revision 4
None

updated 2018-07-05 15:47:15 +0000

JeffMorriss gravatar image

Vlan filter

I am capturing traffic from a trunk mirror. This trunk has over 30 VLANs and I would like to exclude some of them so I used:

tshark -i ens4f0 -f 'vlan and not (ether[14:2]&0x0fff = 100 or ether[14:2]&0x0fff = 200)' -b filesize:1000000 -a files:10 -w /capture/trunk0.pcap

However, the filter does exactly the opposite of what I want as it is capturing only VLANs 100 and 200. If I use:

tshark -i ens4f0 -f 'vlan and (ether[14:2]&0x0fff != 100 or ether[14:2]&0x0fff != 200)' -b filesize:1000000 -a files:10 -w /capture/trunk0.pcap /capture/trunk0.pcap

it happens the same... same...

What am I missing? How can I exclude some VLANs to be captured?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2