On Mar 3, 2010, at 8:24 AM, Filonenko Alexander-AAF013 wrote:
> Capture filters seem to accept first vlan tag and drop the rest.
$ man pcap-filter # or "man tcpdump", for versions of libpcap prior to 1.0.0
...
vlan [vlan_id]
True if the packet is an IEEE 802.1Q VLAN packet. If [vlan_id]
is specified, only true if the packet has the specified vlan_id.
Note that the first vlan keyword encountered in expression
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
changes the decoding offsets for the remainder of expression on
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
the assumption that the packet is a VLAN packet. The vlan
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[vlan_id] expression may be used more than once, to filter on
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
VLAN hierarchies. Each use of that expression increments the
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
filter offsets by 4.
^^^^^^^^^^^^^^^^^^^
For example:
vlan 100 && vlan 200
filters on VLAN 200 encapsulated within VLAN 100, and
vlan && vlan 300 && ip
filters IPv4 protocols encapsulated in VLAN 300 encapsulated
within any higher order VLAN.
> Are there any tricks to handle more than one vlan?
Unfortunately, none that I know of.