Re: vlan [xx] filter not filtering any packets

[Guy Harris <guy () alum mit edu>]

On Jun 8, 2009, at 4:47 AM, Nikola Ciprich wrote:

> I've spent some time playing with tcpdump and pcap with regard
> to vlans. Using libpcap 1.0.0 + tcpdump 4.0.0, I can able to
> correctly dump packets including (reconstructed) vlan headers.
> But it seems that using the vlan filter keyword does not work.

The troublesome word here is "reconstructed".

Filtering is done in the kernel on Linux, when possible;  
unfortunately, that means the filter is looking at packet data that  
*doesn't* have a reconstructed VLAN header when you're filtering a  
live capture.

There are special hooks in Linux's BPF interpreter to allow filtering  
on some data that's not in the packet data; libpcap already uses that  
to handle fields in the constructed DLT_LINUX_SLL header (it generates  
code assuming the header is at the beginning of the packet and, if it  
determines that the filter will be handed to the kernel, rewrites load  
instructions that load from the header to load the corresponding items  
from packet metadata instead), and we *might* be able to do the same  
with the reconstructed VLAN header *if* the information from which  
it's reconstructed can be fetched by the kernel's BPF interpreter.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.