Vlan – tcpdump (-i any) with vlan

I have a question regarding tcpdump (capturing all interfaces) and a strange capture I see.

Environment:

2 Linux devices connected and configured with VLAN TAG (802.1q). I am pinging between the 2 device vlan interfaces, network wise everything works well. When using tcpdump to capture all interfaces tcpdump –i any –n –e.

I am seeing this:

The first 3 packets looks fine

Received on the main interface (tagged):

-6:-45:-40.2216 In 00:11:22:33:44:56 ethertype 802.1Q (0x8100), length 104: vlan 10, p 0, ethertype IPv4, 10.0.0.10 > 10.0.0.1: ICMP
echo request, id 2452, seq 487, length 64

Received on the vlan interface (untagged):

-6:-45:-40.2217 In 00:11:22:33:44:56 ethertype IPv4 (0x0800), length 100: 10.0.0.10 > 10.0.0.1: ICMP echo request, id 2452, seq 487, length
64

Sent from the vlan interface (untagged):

-6:-45:-40.2221 Out 00:11:22:33:44:55 ethertype IPv4 (0x0800), length 100: 10.0.0.1 > 10.0.0.10: ICMP echo reply, id 2452, seq 487, length
64

But the fourth sent from the main interface looks erroneous:

-6:-45:-40.2223 Out 00:11:22:33:44:55 ethertype 802.1Q (0x8100), length 100: vlan 1280, p 2, ethertype Unknown, LLC, dsap SNA (0x04)
Group, ssap Unknown (0x3e) Response, ctrl 0x0000: Information, send
seq 0, rcv seq 0, Flags [Response], length 80

When defining the specific interface (eth0 or eth0.10) to tcpdump it looks well:

"tcpdump -i usb0 -n -e"

-6:-13:00.40042 00:11:22:33:44:56 > 00:11:22:33:44:55, ethertype 802.1Q (0x8100), length 102: vlan 10, p 0, ethertype IPv4, 10.0.0.10 > 10.0.0.1: ICMP echo request, id 2452, seq 2442, length 64
-6:-13:00.40100 00:11:22:33:44:55 > 00:11:22:33:44:56, ethertype 802.1Q (0x8100), length 102: vlan 10, p 0, ethertype IPv4, 10.0.0.1 > 10.0.0.10: ICMP echo reply, id 2452, seq 2442, length 64

"tcpdump -i usb0.10 -n –e"

-6:-52:-14.5791 00:11:22:33:44:56 > 00:11:22:33:44:55, ethertype IPv4 (0x0800), length 98: 10.0.0.10 > 10.0.0.1: ICMP echo request, id 2452,
seq 94, length 64
-6:-52:-14.5795 00:11:22:33:44:55 > 00:11:22:33:44:56, ethertype IPv4 (0x0800), length 98: 10.0.0.1 > 10.0.0.10: ICMP echo reply, id 2452,
seq 94, length 64

Currently, I work with an usb network interface but the same goes for Ethernet (eth0 / eth0.10).

The extra 2 bytes when using –i any are because Linux adds its Linux cooked 2 bytes.

Any idea, why does tcpdump shows this line when using –i any ?

Since traffic is working well, I guess it is just a parsing issue with tcpdump ???

-6:-45:-40.2223 Out 00:11:22:33:44:55 ethertype 802.1Q (0x8100), length 100: vlan 1280, p 2, ethertype Unknown, LLC, dsap SNA (0x04)
Group, ssap Unknown (0x3e) Response, ctrl 0x0000: Information, send
seq 0, rcv seq 0, Flags [Response], length 80