Wireshark-users: Re: [Wireshark-users] Filtering both vlan-tagged as untagged frames with an ip-f
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 01 May 2007 23:38:26 -0700
Sake Blok wrote:

While analysing a problem today I discovered that I had missed packets in
my session after capturing with a filter like "vlan and host x.x.x.x".
After making a trace with no filter, I could see that packets in one
direction were tagged, while they were not tagged in the other direction.
Then I triesd a filter like "(vlan or not vlan) and host x.x.x.x", but
that just doesn't work.

Does anyone know how to capture both vlan-tagges frames and untagged
frames with an ip-address filter?

Might this be a WinPcap bug?

Does it count as a bug if it's documented to work that way? :-)

To quote the OS X 10.4.9 tcpdump man page (this isn't WinPcap-specific - it's common to all libpcap/WinPcap implementations):

     vlan [vlan_id]
             True  if  the  packet  is an IEEE 802.1Q VLAN packet.  If
             [vlan_id] is specified, only true is the packet  has  the
             specified  vlan_id.   Note  that  the  first vlan keyword
             encountered in expression changes  the  decoding  offsets
             for  the  remainder  of expression on the assumption that
             the packet is a VLAN packet.

As the second sentence says, "Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a VLAN packet." The "vlan" in "vlan and host x.x.x.x" causes the "host x.x.x.x" to check for VLAN-encapsulated packets with an IPv4 address of x.x.x.x.

To check for both VLAN-encapsulated and non-VLAN-encapsulated packets with that IPv4 address, try

	host x.x.x.x or (vlan and host x.x.x.x)

(or use "ip host x.x.x.x" in both cases if you don't care about ARP packets).