Tcpdump: capture one of several vlans

packet-capturesniffingtcpdumpvlan

I want tcpdump to capture VLAN 1000 or VLAN 501. man pcap-filter says:

The vlan [vlan_id] expression may be used more than once, to filter on VLAN hierarchies. Each use of that expression increments the filter offsets by 4.

When I do:

tcpdump -vv -i eth1 \( vlan 1000 \) and \( ip host 10.1.1.98 or ip host 10.1.1.99 \)

I get captured packets.

But when I do:

tcpdump -vv -i eth1 \( vlan 1000 or vlan 501 \) and \( ip host 10.1.1.98 or ip host 10.1.1.99 \)

I don't get any packets — I presume because of the "increment by 4" behavior described in the man page.

How can I capture traffic on more than one VLAN at a time?

Best Answer

I remembered that you can examine the packet bytes directly. So looking directly into the ethernet header works:

tcpdump -vv -i eth1 '( vlan and ( ether[14:2] & 0xfff == 1000 or ether[14:2] & 0xfff == 501 ) ) and ( ip host 10.1.1.98 or ip host 10.1.1.99 )'

Don't forget the :2, this is a 2 byte field -- I got stuck on this for a while.

Related Solutions

tcpdump – How to Capture ACK or SYN Packets

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

http://wiki.wireshark.org/DisplayFilters
- Display filter ref: http://www.wireshark.org/docs/dfref/
- TCP display ref: http://www.wireshark.org/docs/dfref/t/tcp.html
http://wiki.wireshark.org/CaptureFilters

Log tcpdump Output

Instead of logging all traffic, I would suggest the following: Monitor the number of packets sent to your server. If it exceeds a certain threshold, log a couple of 1000 packets, then wait for a longer time.

That packet trace should contain plenty of information which can be used for analysis. Also, it will not impose too much additional load on your server while everything is fine. You could use the following hacked together bash code as a starting point (could be started in screen, for example):

interface=eth0
dumpdir=/tmp/

while /bin/true; do
  pkt_old=`grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'`
  sleep 1
  pkt_new=`grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'`

  pkt=$(( $pkt_new - $pkt_old ))
  echo -ne "\r$pkt packets/s\033[0K"

  if [ $pkt -gt 5000 ]; then
    echo -e "\n`date` Under attack, dumping packets."
    tcpdump -n -s0 -c 2000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap
    echo "`date` Packets dumped, sleeping now."
    sleep 300
  fi
done

Feel free to adapt it to your needs.

Best Answer

Related Solutions

tcpdump – How to Capture ACK or SYN Packets

Log tcpdump Output

Related Topic