Revision history [back]

Hi All,

Is the following a valid filter to capture only VLAN 2001 traffic on interfaces ens5 and ens6?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. If however I try moving the -f "vlan and ether[14:2]&0x0fff=2001" after "-ni ens5 -ni ens6" it then captures traffic on many VLANs (probably on all of them) and not just on 2001.

Many thanks in advance!

Hi All,

Is the following a valid filter to capture only VLAN 2001 traffic on interfaces ens5 and ens6?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. If however I try moving the -f "vlan and ether[14:2]&0x0fff=2001" after behind "-ni ens5 -ni ens6" it then captures traffic on many VLANs (probably on all of them) and not just on 2001.

Many thanks in advance!

Hi All,

Is the following a valid filter to capture only VLAN 2001 traffic on interfaces ens5 and ens6?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. If however I try moving the -f "vlan and ether[14:2]&0x0fff=2001" behind "-ni ens5 -ni ens6" it then captures traffic on many VLANs (probably on all of them) and not just on 2001.

It does work perfectly well with tshark vlan 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng but sadly I cannot use it 'cos I need to trace a particular set of VLANs that I cannot specify using vlan once (and using vlan more than once is hierarchical afaik).

Many thanks in advance!

Hi All,

Is the following a valid filter to capture only VLAN 2001 traffic on interfaces ens5 and ens6?

tshark -f "vlan and ether[14:2]&0x0fff=2001" ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. If however I try moving the -f "vlan and ether[14:2]&0x0fff=2001" behind "-ni ens5 -ni ens6" it then captures traffic on many VLANs (probably on all of them) and not just on 2001.

It does work perfectly well with tshark vlan 2001 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng but sadly I cannot use it 'cos I need to trace a particular set of VLANs that I cannot specify using vlan once (and using vlan more than once is hierarchical afaik).

Many thanks in advance!

Hi All,

Is the following a valid filter to capture only VLAN 2001 traffic on interfaces ens5 and ens6?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. If however I try moving the -f "vlan and ether[14:2]&0x0fff=2001" behind "-ni ens5 -ni ens6" it then captures traffic on many VLANs (probably on all of them) and not just on 2001.

It does work perfectly well with tshark vlan 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng but sadly I cannot use it 'cos I need to trace a particular set of VLANs that I cannot specify using vlan once (and using vlan more than once is hierarchical afaik).

Many thanks in advance!

Hi All,

Is the following a valid filter to capture only VLAN 2001 traffic on interfaces ens5 and ens6?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. This one tells me it should be working fine: https://www.wireshark.org/lists/wireshark-users/201003/msg00036.html

It does work perfectly well with tshark vlan 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng but sadly I cannot use it 'cos I need to trace a particular set of VLANs that I cannot specify using vlan once (and using vlan more than once is hierarchical afaik).

Many thanks in advance!

Hi All,

Is the following a valid capture filter to capture only VLAN 2001 traffic on interfaces ens5 and ens6?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. This one tells me it should be working fine: https://www.wireshark.org/lists/wireshark-users/201003/msg00036.html

It does work perfectly well with tshark vlan 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng but sadly I cannot use it 'cos I need to trace a particular set of VLANs that I cannot specify using vlan once (and using vlan more than once is hierarchical afaik).

Many thanks in advance!

Hi All,

Is the following a valid capture filter to capture only for VLAN 2001 traffic on interfaces ens5 and ens6?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. This one tells me it should be working fine: https://www.wireshark.org/lists/wireshark-users/201003/msg00036.html

It does work perfectly well with tshark vlan 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng but sadly I cannot use it 'cos I need to trace a particular set of VLANs that I cannot specify using vlan once (and using vlan more than once is hierarchical afaik).

Many thanks in advance!

Hi All,

Is the following a valid capture filter for VLAN 2001 traffic on interfaces ens5 and ens6?ens6 of a VM in Openstack?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. This one tells me it should be working fine: https://www.wireshark.org/lists/wireshark-users/201003/msg00036.html

It does work works perfectly well with tshark vlan 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng but sadly I cannot use it 'cos as I need to trace a particular set of VLANs that I cannot specify using be specified in a single vlan once option (and using vlan it more than once is hierarchical afaik).

Many thanks in advance!

Hi All,

Is the following one a valid capture filter for VLAN 2001 traffic on interfaces ens5 and ens6 of a VM in Openstack?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. This one tells me it should be working fine: https://www.wireshark.org/lists/wireshark-users/201003/msg00036.html

It works perfectly well with tshark vlan 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng but sadly I cannot use it as I need to trace a particular set of VLANs that cannot be specified in a single vlan option (and using it more than once is hierarchical afaik).

Many thanks in advance!

Hi All,

Is the following one a valid capture filter for VLAN 2001 traffic on interfaces ens5 and ens6 of a VM in Openstack?

tshark -f "vlan and ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng

Even though there's quite a bit of traffic on that VLAN it doesn't capture a single packet for some reason. This one tells me it should be working fine: https://www.wireshark.org/lists/wireshark-users/201003/msg00036.html

It works perfectly well with tshark vlan 2001 -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng but sadly I cannot use it as I need to trace a particular set of VLANs that cannot be specified in a single vlan option (and using it more than once is hierarchical afaik).

Here's my tshark version info:

[root@sniffer centos]# tshark -v TShark 1.10.14 (Git Rev Unknown from unknown) Copyright 1998-2015 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.54.2, with libpcap, with libz 1.2.7, with POSIX capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.1, without Python, with GnuTLS 3.3.26, with Gcrypt 1.5.3, with MIT Kerberos, without GeoIP. Running on Linux 3.10.0-862.14.4.el7.x86_64, with locale en_US.UTF-8, with libpcap version 1.5.3, with libz 1.2.7. Intel Xeon Processor (Skylake, IBRS) Built using gcc 4.8.5 20150623 (Red Hat 4.8.5-36). [root@sniffer centos]#

Many thanks in advance!

Hi All,

Is the following one a valid capture filter for VLAN 2001 traffic on interfaces ens5 and ens6 of a VM in Openstack?

tshark -f "vlan and ether[14:2]&0x0fff=2001" ether[14:2]&0x0fff=2001" -ni ens5 -ni ens6 -w /tmp/sniffer.pcapng
/tmp/sniffer.pcapng

[root@sniffer centos]# tshark -v
TShark 1.10.14 (Git Rev Unknown from unknown)
 Copyright 1998-2015 Gerald Combs [email protected] <[email protected]> and contributors.
 This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 Compiled (64-bit) with GLib 2.54.2, with libpcap, with libz 1.2.7, with POSIX
capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with
Lua 5.1, without Python, with GnuTLS 3.3.26, with Gcrypt 1.5.3, with MIT
Kerberos, without GeoIP.
 Running on Linux 3.10.0-862.14.4.el7.x86_64, with locale en_US.UTF-8, with
libpcap version 1.5.3, with libz 1.2.7.
 Intel Xeon Processor (Skylake, IBRS)
 Built using gcc 4.8.5 20150623 (Red Hat 4.8.5-36).
[root@sniffer centos]#
centos]#