We have a machine set up with an interface connected to a mirror port on a
network router. On the router, multiple VLANs are mirrored to the same
port.
Until recently, we had an ancient machine running RedHat Linux 7.3,
with Linux 2.4.20, tcpdump-3.6, libpcap-0.6 and an optical gigabit
interface.
We could capture packets with e.g. "tcpdump -i eth1 -w eth1.cap"
and then replay them with e.g.
"tcpdump -r eth1.cap vlan 901 and host 192.168.3.4".
Or we could capture live packets with e.g.
"tcpdump -i eth1 vlan 901 and host 192.168.3.4".
We replaced this with a newer machine with CentOS 6, Linux 2.6.32,
tcpdump-4.0.0, libpcap-1.4, wireshark-1.8.10.
On this machine we can capture as before, and then use a VLAN filter
during analysis with tcpdump or wireshark.
But if I use a VLAN filter during capture, no packets are matched.
Without the VLAN filter, all packets are matched, and I can filter by host
address etc. This is the same in tcpdump and wireshark.
How can I get the live capture filter to work ? I want to be able to look
at just one VLAN without having to build a complex ip address-based
filter.
--
Andrew Daviel, TRIUMF, Canada
