I noticed that if I put an "ifname" (or "on") in a fllter expression for tcpdump, it will
show all traffic that has an ifname that *starts with* the name I provided. e.g.
# tcpdump -n -l -e -ttt -i pflog0 ifname vlan1
Will show packets for vlan1 but also for vlan110, vlan140, etc (but not for
em0).
It's not clear from the man page if that is the intended behavior.
https://man.openbsd.org/tcpdump.8#ifname
|ifname| <https://man.openbsd.org/tcpdump.8#ifname> interface
True if the packet was logged as coming from the specified interface
(applies only to
packets logged by pf(4) <https://man.openbsd.org/pf.4>).
While testing I also tried using "ifname vlan" as the filter but it fails with a syntax
error. I'm thinking that is probably an unintended interaction with the "vlan" primitive
since "ifname em" or "ifname bnx" seem to work with no error.
This is all tested on 6.7 so apologies if this is not the current behavior.
- Aner
