tcpdump/bpf and seeing .1q tags
Kelly Yancey
kbyanc at posi.net
Wed Mar 9 13:03:11 PST 2005
On Wed, 9 Mar 2005, Charlie Schluting wrote:
> Charlie Schluting wrote:
> > Charles Swiger wrote:
> >
> >> On Mar 9, 2005, at 2:22 PM, Charlie Schluting wrote:
> >>
> >>> More importantly, I'm trying to figure out if a bpf read will see
> >>> them as well. Any insight on this?
> >>
> >>
> >>
> >> Yes, or it will if you use promisc mode and an appropriate BPF filter:
> >>
> >
> > So promisc is enabled in my case.
> >
> > This seems to imply that the bpf will always see the vlan tags. (I don't
> > want to.. that was the point of my question)
> >
> > I believe this is starting to make sense. Thanks for your reply.
>
> Oh! Er.. I hit send too fast.
>
> So a BPF is supposed to ignore vlan tags unless 'vlan' is specified??
>
Worse: tcpdump has not idea there is a tag on the packet causing any
other filters to compare against the wrong data in the packet. For this
reason, if you are going to run tcpdump on a parent interface, you need
to either specify no filter criteria or else specify the 'vlan' keyword
so tcpdump knows what it is getting.
You'll have a similar issue with BPF programs you write: you'll either
need to skip over the vlan tag header or not, depending on whether you
snagged the packet from the parent interface or the vlan interface.
Kelly
--
Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly at nttmcl.com
"And say, finally, whether peace is best preserved by giving energy to the
government or information to the people. This last is the most certain and
the most legitimate engine of government."
-- Thomas Jefferson to James Madison, 1787.
More information about the freebsd-net
mailing list