[Winpcap-users] WinPcap 4 & Cisco Spanned Ports

Guy Harris guy at alum.mit.edu
Fri May 11 17:16:26 GMT 2007 

Steighton_Haley at McAfee.com wrote:
> Sounds like a bug in the filter interpretation code (probably exists in 
> the base pcap libraries)...

Pcap filter expressions assume no VLAN encapsulation unless you add a 
"vlan" keyword.

Note that the "vlan" keyword affects all subsequent terms in the filter 
expression, so they assume VLAN encapsulation:

$ man tcpdump

           ...

      vlan [vlan_id]
            True  if  the  packet  is an IEEE 802.1Q VLAN packet.  If
            [vlan_id] is specified, only true is the packet  has  the
            specified  vlan_id.   Note  that  the  first vlan keyword
            encountered in expression changes  the  decoding  offsets
            for  the  remainder  of expression on the assumption that
            the packet is a VLAN packet.

so to capture packets to or from 10.10.10.10 on a VLAN, do

	vlan and host 10.10.10.10

and to capture packets to or from 10.10.10.10 regardless of whether 
they're on a VLAN, do

	host 10.10.10.10 or (vlan and host 10.10.10.10)

More information about the Winpcap-users mailing list