Date: Wed, 9 Mar 2005 14:05:46 -0800 (PST) From: Kelly Yancey <kbyanc@posi.net> To: Charlie Schluting <charlie@schluting.com> Cc: net@freebsd.org Subject: Re: tcpdump/bpf and seeing .1q tags Message-ID: <20050309135422.C13519@gateway.posi.net> In-Reply-To: <422F5D66.6020808@schluting.com> References: <20050309111759.O97008@schluting.com> <3aa4b0ab62a3d4855fdc62383a77b9d5@mac.com> <422F5CF6.9070906@schluting.com> <422F5D66.6020808@schluting.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 9 Mar 2005, Charlie Schluting wrote:
> Charlie Schluting wrote:
> > Charles Swiger wrote:
> >
> >> On Mar 9, 2005, at 2:22 PM, Charlie Schluting wrote:
> >>
> >>> More importantly, I'm trying to figure out if a bpf read will see
> >>> them as well. Any insight on this?
> >>
> >>
> >>
> >> Yes, or it will if you use promisc mode and an appropriate BPF filter:
> >>
> >
> > So promisc is enabled in my case.
> >
> > This seems to imply that the bpf will always see the vlan tags. (I don't
> > want to.. that was the point of my question)
> >
> > I believe this is starting to make sense. Thanks for your reply.
>
> Oh! Er.. I hit send too fast.
>
> So a BPF is supposed to ignore vlan tags unless 'vlan' is specified??
>
Worse: tcpdump has not idea there is a tag on the packet causing any
other filters to compare against the wrong data in the packet. For this
reason, if you are going to run tcpdump on a parent interface, you need
to either specify no filter criteria or else specify the 'vlan' keyword
so tcpdump knows what it is getting.
You'll have a similar issue with BPF programs you write: you'll either
need to skip over the vlan tag header or not, depending on whether you
snagged the packet from the parent interface or the vlan interface.
Kelly
--
Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com
"And say, finally, whether peace is best preserved by giving energy to the
government or information to the people. This last is the most certain and
the most legitimate engine of government."
-- Thomas Jefferson to James Madison, 1787.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050309135422.C13519>