[prev in list] [next in list] [prev in thread] [next in thread]
List: tcpdump-workers
Subject: Re: [tcpdump-workers] capturing vlan traffic on linux
From: Karsten Keil <kkeil () suse ! de>
Date: 2008-01-24 12:22:16
Message-ID: 20080124122216.GA16542 () pingi ! kke ! suse ! de
[Download RAW message or body]
On Wed, Jan 23, 2008 at 02:23:06PM -0800, Aaron Turner wrote:
> Box is Linux 2.6.12 kernel
> tcpdump 3.8
> libpcap 0.8.3
> Intel e1000 NIC
>
> Long story short,
>
> 1) when sniffing on the vlan tagged interface (eth0.5), I can see
> inbound and outbound traffic, but the ethernet frames are not tagged.
> 2) when sniffing on the physical interface (eth0) I can see only one
> direction of traffic (outbound I think), and again no vlan tags.
>
> Is it not possible to sniff traffic with the vlan tags if the traffic
> is destined or generated by the host? Or do I need to upgrade
> something?
>
Thats the normal behavior I found out some time ago.
The VLAN processing is done in the driver (sometimes in the HW itself), this
is under the tcpdump interface layer.
If I need to debug VLAN issues on the wire I use a second PC on a HUB (or
a switch which allows port monitoring). Note: even here you need a card
which pass VLAN taged frames unchanged to the upper layers, some more
featured cards always remove TAGs I know this for tg3 and bnx cards, in this
case (tg3,bnx) you have to disable the advanced monitor firmware on the
cards to see VLAN tags.
--
Karsten Keil
SuSE Labs
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic