[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tcpdump-workers
Subject:    Re: [tcpdump-workers] capturing vlan traffic on linux
From:       Karsten Keil <kkeil () suse ! de>
Date:       2008-01-24 12:22:16
Message-ID: 20080124122216.GA16542 () pingi ! kke ! suse ! de
[Download RAW message or body]

On Wed, Jan 23, 2008 at 02:23:06PM -0800, Aaron Turner wrote:
> Box is Linux 2.6.12 kernel
> tcpdump 3.8
> libpcap 0.8.3
> Intel e1000 NIC
> 
> Long story short,
> 
> 1) when sniffing on the vlan tagged interface (eth0.5), I can see
> inbound and outbound traffic, but the ethernet frames are not tagged.
> 2) when sniffing on the physical interface (eth0) I can see only one
> direction of traffic (outbound I think), and again no vlan tags.
> 
> Is it not possible to sniff traffic with the vlan tags if the traffic
> is destined or generated by the host?  Or do I need to upgrade
> something?
> 

Thats the normal behavior I found out some time ago.
The VLAN processing is done in the driver (sometimes in the HW itself), this
is under the tcpdump interface layer.
If I need to debug VLAN issues on the wire I use a second PC on a HUB (or
a switch which allows port monitoring). Note: even here you need a card
which pass VLAN taged frames unchanged to the upper layers, some more
featured cards always remove TAGs  I know this for tg3 and bnx cards, in this
case (tg3,bnx) you have to disable the advanced monitor firmware on the
cards to see VLAN tags.

-- 
Karsten Keil
SuSE Labs
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
[prev in list] [next in list] [prev in thread] [next in thread]