[Winpcap-users] WinPcap 4 & Cisco Spanned Ports

[Steighton_Haley at McAfee.com]

Thanks Guy!  That'll teach me not to hit my man pages first ;)

Though, in my defense tcpdump *is* a very long man-page :)

SLH.

---
Steighton Haley                          shaley at mcafee.com
Software Engineer

"Why do nerds confuse Halloween and Christmas?  Because OCT31=DEC25" 

> -----Original Message-----
> From: winpcap-users-bounces at winpcap.org 
> [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Guy Harris
> Sent: Friday, May 11, 2007 10:16 AM
> To: winpcap-users at winpcap.org
> Subject: Re: [Winpcap-users] WinPcap 4 & Cisco Spanned Ports
> 
> Steighton_Haley at McAfee.com wrote:
> > Sounds like a bug in the filter interpretation code 
> (probably exists 
> > in the base pcap libraries)...
> 
> Pcap filter expressions assume no VLAN encapsulation unless 
> you add a "vlan" keyword.
> 
> Note that the "vlan" keyword affects all subsequent terms in 
> the filter expression, so they assume VLAN encapsulation:
> 
> $ man tcpdump
> 
>            ...
> 
>       vlan [vlan_id]
>             True  if  the  packet  is an IEEE 802.1Q VLAN packet.  If
>             [vlan_id] is specified, only true is the packet  has  the
>             specified  vlan_id.   Note  that  the  first vlan keyword
>             encountered in expression changes  the  decoding  offsets
>             for  the  remainder  of expression on the assumption that
>             the packet is a VLAN packet.
> 
> so to capture packets to or from 10.10.10.10 on a VLAN, do
> 
> 	vlan and host 10.10.10.10
> 
> and to capture packets to or from 10.10.10.10 regardless of 
> whether they're on a VLAN, do
> 
> 	host 10.10.10.10 or (vlan and host 10.10.10.10) 
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>