Wireshark-users: Re: [Wireshark-users] 802.1Q VLAN header's affect on capture filter functionalit

From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 14 Mar 2008 08:03:26 +0100
On Thu, Mar 13, 2008 at 06:23:50PM -0400, info wrote:
> When capturing packets with 802.1Q VLAN headers most of my capture 
> filters no longer work.
> 
> Presumably, this is due to the offset created by the 4-byte header.
> 
> How does one adjust for the offset to regain capture filter functionality?

You can do this by specifying "vlan" in the capture filter. Ie, if you want
to capture 802.1q frames with ip.addr 192.168.1.1 you can use:

"vlan and host 192.168.1.1"

Please note that all filter expressions after the keyword "vlan" are
evaluated with the 4 byte shift. So if you want to also filter on some
fields in non-vlan-tagged frames, you should put these filter strings
*before* the keyword "vlan". Ie, if you want to select frames to/from
host 192.168.1.1 both 802.1q tagged as non-tagged, you need to use:

"host 192.168.1.1 or (vlan and host 192.168.1.1)"

The filter string: "(vlan and host 192.168.1.1) or host 192.168.1.1"
won't work.

See also: http://wiki.wireshark.org/CaptureSetup/VLAN

Hope this helps,
Cheers,
    Sake