Thanks alot Alex, that's exactly the problem since the university uses VLAN based on packet tags. Actually I'm using pcap to do some packet payload processing on FreeBSD. It seems right now that if I use the filter "ip or (vlan and ip)", the packet returned from pcap contains the VLAN tag. I wonder if there's a way to let the OS to strip off the tag before deliverying?
Thanks. Lei On Wed, Sep 10, 2008 at 11:45 AM, Alexander Dupuy <[EMAIL PROTECTED]>wrote: > You wrote: > >> ...matched by the filter expression, so with a filter, tcpdump can only >> process >> 3984 out of 1091656 ip packets.... And also, the port I'm monitoring on >> is a mirror of the >> department building uplink, it should have a major component of ip >> packets. >> > > As Guy Harris pointed out, , the filter "ip" will match only IPv4, not > IPv6, traffic. However, if you feel that you are not seeing all the IP > traffic that you expect to, it may be that the uplink is using VLAN tagging > for some (or most of the) packets - the default "ip" filter will not > recognize this traffic. > > To see all IPv4 traffic on a port where some of the traffic is using 802.1q > VLAN tagging, use a filter like "ip or (vlan and ip)" instead. Note that > the order of the subexpressions is important - everything to the right of > the "vlan" keyword will generate filters that only recognize VLAN tagged > packets (and everything to the left of the vlan keyword will generate > filters that only recognize non-VLAN tagged packets. > > This means that the expression "tcp and (ip or (vlan and ip))" will not > work as you would hope - it will only match non-VLAN TCP. You must write > the filter "(tcp and ip) or (vlan and tcp and ip)" instead, to match IPv4 > TCP with or without vlan. > > If you still don't see all the IP traffic you expect with a filter that > matches VLAN traffic, it is possible that other IP encapsulations are in use > (e.g. if there is bridged traffic from an 802.3 network that is using SNAP > for IP) but these are much less likely to be the case (and I'm not sure if > tcpdump can actually filter them). > > @alex > > -- > mailto:[EMAIL PROTECTED] > > -- Wei, Lei Department of Computer Science University of North Carolina at Chapel Hill, NC 27599-3175 - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
