A little oddity about pcap filter sequences

By Daniel Ebdrup on Saturday, January 24 2015, 17:28 - Permalink

A discusson on efnets #bsd-dk today revealed an oddity about the filter sequence that tcpdump uses when libpcap has been compiled with vlan support, and you are looking to filter vlans in or out of your output. It turns out that vlan statements should seemingly always be specified at the beginning of the statement, in the following fashion:

tcpdump -i trunk1 vlan 42 and not port 80

If the statement is reversed, ie. not port 80 and vlan 42, you can’t reliably expect an output on all systems.

Another interesting thing about this, is that while plenty of site demonstrate vlan support, the filter sequence is hardly ever brought up.

They posted on the same topic

Trackback URL : https://blog.nullrouted.org/index.php?trackback/4

This post's comments feed