tcpdump: capture one of several vlans

Solution 1:

I remembered that you can examine the packet bytes directly. So looking directly into the ethernet header works:

tcpdump -vv -i eth1 '( vlan and ( ether[14:2] & 0xfff == 1000 or ether[14:2] & 0xfff == 501 ) ) and ( ip host 10.1.1.98 or ip host 10.1.1.99 )'

Don't forget the :2, this is a 2 byte field -- I got stuck on this for a while.

Solution 2:

It can be done in more simply way than using deep packet exam, just use grep: 

tcpdump -n -i eth1 -e | grep "vlan 1000"

-e: Print the link-level header on each dump line.

it will print lines like

ethertype 802.1Q (0x8100), length 60: vlan 1000, p 0, ethertype ARP

which can be easily catch by grep

If you want catch more than one VLAN ID you can use command like:

tcpdump -n -i eth1 -e | grep "vlan 1000\|vlan 501"

Tags:

Sniffing

Tcpdump

Packet Capture

Vlan

Recent Posts