identifying vlan packets using tcpdump

Question

I'm trying to figure out the vlan tagged packets that my host receives or sends to other hosts. I tried

tcpdump -i eth1 vlan 0x0070

But it didnt work. Has anyone tried to view the vlan packets through tcpdump before? Couldn't find much help searching the web!

Are values in hex allowed? The man page doesn't say anything about it. Try it in decimal. `vlan 112` — Michael Hampton, Dec 19 '13 at 01:00
Are you expecting it to be sending VLAN tagged traffic? Is it connected to a trunk port on the switch? — Andrew, Dec 19 '13 at 01:11

score 1 · Answer 1 · answered Dec 18 '13 at 23:37

1

If your host is connected to an access port, the switch will likely strip the VLAN tag off before it reaches your host. As a result, running TCPDump on the host in question will never see the VLAN tags.

You would need to setup a SPAN port and/or introduce a network tap into your network somewhere to grab traffic before the tags are dropped off the packets in order to see them in a network dump/trace.

answered Dec 18 '13 at 23:37

Rex

7,895
3
29
45

1

Note that "vlan" increases the filter start offset by four bytes. Combining it with other primitives, e.g. "vlan or ip host 10.11.1.2" may not do what you expect. – Gerald Combs Dec 18 '13 at 23:56
1

To be accurate, a switch does not strip VLAN tags off a frame before sending it out an access port, it only adds VLAN tagging to frames before it sends them out a trunk/tagged port (and they are removed once received by the switch on the other side). – YLearn Dec 19 '13 at 00:36

score 0 · Answer 2 · answered Dec 19 '13 at 00:04

you can actually use linux to "decode" 802.1q (vlan tagging). you can effectively turn linux into a "router on a stick" and route between vlans, with a single ethernet port, on a fancy cisco layer 2 switch (that has lots of vlans).

the main ethernet has "subinterfaces" which correscpond with the vlan id. you can then route, and iptables (firewall) the subinterfaces individually.

this is an easy way to have a perimeter linux firewall connected to isp, and 10 vlans behind it, but only using a single ethernet interface.

dot q is the standard, even tho cisco thinks it made it up, so it runs great on linux.

EDIT: to enable this

modprobe 8021q

you can then run tcpdump to listen on the subinterfaces

This still would not see vlan tags unless the port he is connects to is tagging the traffic. — Rex, Dec 19 '13 at 01:54
@Rex, thats right, the other side of ethernet cable must be conf'ed as, what cisco calls, "switchport mode trunk" or vendor equivelent — nandoP, Dec 19 '13 at 06:41

score 0 · Answer 3 · answered Dec 19 '13 at 09:58

0

I think you're using the wrong tool to be honest - tcpdump is more tied to IP (L3) whereas VLANs are a feature of L2 - try using wireshark instead.

answered Dec 19 '13 at 09:58

Chopper3

101,299
9
108
239

1

`tcpdump` is suited for L2 - L4 and also application layer of some protocols. `tcpdump -e` shows more information from the Ethernet header including VLAN tags. – pabouk - Ukraine stay strong Feb 05 '19 at 09:05
And still `tshark` the WireShark CLI frontend is way more powerful than `tcpdump` methinks. – 0xC0000022L Jun 02 '20 at 14:23

identifying vlan packets using tcpdump

3 Answers3