---- On Wed, 28 Jan 2015 01:20:26 +0000 Michael Richardson wrote ----
>
>Denis Ovsienko <de...@ovsienko.info> wrote:
> > The host has an Ethernet interface with only an IPv6 link-local address
> > (eth0). On top of it there is a VLAN interface with VID 75 (eth0.75),
> > IPv6 link-local address and IPv4 address 10.0.75.254/24. The difference
> > is, when tcpdump runs with "-i eth0.75", it works as expected and
> > displays ARP and, for instance, UDP from/to the network
> > 10.0.75.0/24. When run with "-i eth0", it displays only TCP from/to
> > network 10.0.75.0. This looks wrong in two ways as the tagged packets
> > should not appear on the bearing interface in the first place and even
> > if they appear there the filter should exclude them, but instead of
> > this it excludes all the other packets.
>
>Tagged packets do appear, and if you add -e, you'll see the entire tag there
>too. At this point, it's hard to get the behaviour I think you want from
>the pcap compiler, which is to filter the traffic within the VLAN from the
>bearer.
>
>(I think that showing the tcp packets might be a fluke)
You are right:
root@homepc:~# tcpdump -pni eth0 -e not tcp
08:09:56.529239 00:0f:ea:18:f6:23 > d4:ca:6d:72:b1:da, ethertype 802.1Q
(0x8100), length 58: vlan 75, p 0, ethertype IPv4, 109.74.202.168.6633 >
10.0.75.2.55847: Flags [R.], seq 0, ack 1992001615, win 0, length 0
Of course, "not ethertype ip and ip proto tcp" does not match and the right way
to do this filtering on this interface is to filter by "vlan and not tcp" (just
checked, works).
Thus the behaviour is the same as it used to be for years, both on tcpdump side
and on Linux side. It must be the odd timing that kept me thinking the BPF
filter had somewhere flipped to do the opposite from its normal job, I had
checked several times before posting.
Thank you for help, Guy and Michael.
--
Denis Ovsienko
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
