I am trying to capture traffic of ethertype 0x88b8. Some of them may be vlan tagged and some of them might not be, but the and and or operators are not behaving in the way I expect.
My first attempt was this:
(vlan and ether proto 0x88b8) or ether proto 0x88b8
I tested this capture filter on two separate laptops simultaneously, one of which receives the vlan tagged packets and other which receives the non-tagged packets.
In this case the one receiving the non-tagged packets received nothing.
I dug around and found on the pcap filter man-page and found this:
Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right.
So I though order mattered somehow. So after a bit of trial-and-error I settled on this:
ether proto 0x88b8 or (vlan and ether proto 0x88b8)
and this worked on both laptops.
Has my testing yielded the correct expression? Is it redundant in some way? Why are they different and why does the latter one work? Is there anything else I should be aware of?
