Wireshark-users: Re: [Wireshark-users] Filtering multiple VLAN tags

From: "NEWMAN Christopher" <Christopher.Newman@xxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Sep 2008 16:00:26 -0500
Ha ha.  It was a test... you passed!  ;) 

Your suggestion also worked!  I'll have to look into how to use this
more to make sure it supports a third tag.  Looks like it will.

Still, if anyone knows how to get this to work with the "-T fields -e
<field>" option, please let me know.  I attached a sample packet to try
out.

It seems like the field method should work.  Perhaps a bug report needs
to be written for this.

Thanks,
Chris

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of ronnie
sahlberg
Sent: Monday, September 29, 2008 4:39 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Filtering multiple VLAN tags

You didnt attach a file:-)


Try :
-z proto,colinfo,vlan.id,vlan.id

it should print both instances of the field



On Tue, Sep 30, 2008 at 5:39 AM, NEWMAN Christopher
<Christopher.Newman@xxxxxxxxxxxxxxxxxx> wrote:
> I appreciate the reply, Steve.  Attached a pcap file with a stacked 
> frame.
>
> Here's some of the stuff I tried to get both VLAN IDs:
>> tshark -r stacked_vlans_1pkt.pcap -T fields -e vlan.id
> 102
>> tshark -r stacked_vlans_1pkt.pcap -T fields -e vlan.id -e vlan.id
>        102
>> tshark -r stacked_vlans_1pkt.pcap -T fields -e vlan[0].id
> tshark: No match.
>> tshark -r stacked_vlans_1pkt.pcap -T fields -e vlan[1].id
> tshark: No match.
>> tshark -r stacked_vlans_1pkt.pcap -T fields -e vlan.id.0
>
>> tshark -r stacked_vlans_1pkt.pcap -T fields -e vlan.id.1
>
> If anyone gets it to work, it should return an outer VLAN 101 and 
> inner VLAN 102.
>
> Thanks,
> Chris
>
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen 
> Fisher
> Sent: Monday, September 29, 2008 1:41 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Filtering multiple VLAN tags
>
> On Thu, Sep 25, 2008 at 03:53:14PM -0500, NEWMAN Christopher wrote:
>
>> I'm using tshark to parse a captured packet.  Most fields are easy to

>> grab, but I can't figure out how to grab both VLAN tags from a 
>> stacked
>
>> Ethernet frame.  The following command returns the inner (2nd) VLAN
>> ID:
>>
>>      tshark -r test.pcap -c 1 -T fields -e vlan.id
>
> Do you have a *small* (1 packet is fine) capture file you are able to 
> share with us so we can try it ourselves and possibly fix it?
>
>
> Steve
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users

Attachment: stacked_vlans_1pkt.pcap
Description: stacked_vlans_1pkt.pcap