> I want to filter packets having VLAN id 7 or VLAN ID 10. Those are not Q-n-Q > VLAN ID. So what should be perfect BPF syntax for it. > > > > When I tried using below syntax, it results only those packets having VALN ID > as 7 and src host 10.21.22.2. > > ""( ( vlan 7 and src host 10.21.22.2 ) or ( vlan 10 and dst host 10.21.22.3) > )""
This is expected, because each "vlan" term adds another 2-byte offset to the rest of the expression. You need to do this manually, e.g. tcpdump -ni em1 '(ether[12:2]==0x8100) and (ether[14:2]&4095==7 or ether[14:2]&4095==10)' Steinar Haug, Nethelp consulting, [email protected] - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
