Lei Wei writes:
if I use the filter "ip or (vlan and ip)", the packet returned from
pcap contains the VLAN tag. I wonder
if there's a way to let the OS to strip off the tag before deliverying?
It really depends on the OS - I can't say anything about FreeBSD. While
it is possible to have Linux strip VLAN tags from trunked interfaces
(and add them on outgoing) I don't know whether this happens before or
after the Packet socket stuff (used by libpcap on Linux) gets involved.
There are tools that will take tcpdump savefiles with VLAN tagged
packets and convert them to remove that: tcprewrite (part of the
tcpreplay package - http://tcpreplay.synfin.net/) makes it very easy:
tcprewrite also allows you to add or remove 802.1q VLAN tag information
from Ethernet frames. Removing the 802.1q tag information is as simple
as specifying /--vlan=del/:
*$* tcprewrite --enet-vlan=del --infile=input.pcap
--outfile=output.pcap
If your application requires direct libpcap access (e.g. it modifies BPF
filters dynamically) this may not work for you, but if you have an
offline analysis application, it could do the trick.
@alex
--
mailto:[EMAIL PROTECTED]
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
