virtual Lan(0x8100) support in dpkt in python

Question

I have a packet which shows is a type of vlan. I am using dpkt 1.6 version to extract the fields. However it seems that the vlan type is not supported. when condition is applied as

eth = dpkt.ethernet.Ethernet(header_sampled_packet)
print eth.type

it shows type to be 0X0800 which is IP type , but it's actually need to be 0X8100.

Does VLAN not supported in dpkt? or is it supported in higher version. How can I extract the fields through dpkt or is there any other packages?

I have hex stream with vlan in. This is sflow hex data

00000005000000010a650102000000000095dd92bf1affe80000000500000001000000bc00074bfc00000028000003e81c80d0600000000000000028000f427f00000002000003e90000001000000431000000000000043100000000000000010000007c0000000100000070000000040000006c0025453a7b190064403a0f808100043108004500005a6bd84000fa11045dd501b201d5ddb37c06a506a5004600000002c5f6afc2ff0300214500003451c640003f061526d5ddbc3e5f8ce32fd13a005067004f0b8f56e39f801003eb87e400000101080a00751a0c33ebcd1c00000001000000d00011ddb8000f427f000003e845ca16c000000000000f427f000f424100000002000003e900000010000004300000000000000430000000000000000100000090000000010000058e00000004000000800064403a0f800025453a7b198100043008004500057816ca0000ff118f4fd5ddb37ad501b20106a506a5056400000202006864e60000ff0300214500055088d040003c06180a0a656c0f0aec176e1f90cfd4549878de7741e8b15010008cf2cb00005f1d9e252497a9ad4f5177e946e0175a4e1f34f8fb3b23fab47431f98ce600000001000000d0035637a8000f4280000003e88f02c86000000000000f4280000f424100000002000003e900000010000000cc00000000000000cc00000000000000010000009000000001000005e60000000400000080508789675d28a89d21971e7f810000cc0800450005d0493040003e068ddfd5ddbb1f56a678750050c326df1677527f3c59be8010013eae6600000101080a27d68472228438260f766cf2f6459ed6e28ae43b295340eac2a431eba2e48098b4e8b10918971aa5593c8dbe62f26cc9b18ec691c22f2dadf7324928501e6a1e8bbd00000001000000d0035637a9000f4280000003e88f02cc4800000000000f4280000f424100000002000003e900000010000000cc00000000000000cc00000000000000010000009000000001000005f2000000040000008040a677378fc3a89d21971e7f810000cc0800450005dca38340003e06df31d5ddbb1f5cedc67c0050ea01581379a34213ba0a50100112206100009dfe8abf109fcd304dfb7ad984bfb507e38b711a60b35d574e25f87e691bbc1d4a2f267869e7e1ef5689386e7427ef6ae7eeb2e9eef63ca9240ade82a77ea96119930745114000000001000000bc0011ddb9000f427f000003e845ca1aa800000000000f427f000f45c400000002000003e9000000100000029a000000000000029a00000000000000010000007c0000000100000070000000040000006c0025453aab190025453a7b198100029a08004500005a5a5b4000f91116dad501b201d5ddb37c06a506a5004600000002c5f6afc2ff03002145000034f34740003f063a5ad5ddbc3eb24fc9b6e0cd0050abfe7603706ab2e3801003eb716300000101080a00751a63badaf72b0000003c001c730000

Answer 1

After stepping into the dptk.ethernet.py file I found that def _unpack_data(self, buf): is pulling out the vlan info already.

if self.type == ETH_TYPE_8021Q:
    self.tag, self.type = struct.unpack('>HH', buf[:4])
    buf = buf[4:]

I'm not good at dpkt but I think the self.tag is the vlan ID and the type is the type of the self.data

In my code I did this:

for ts, buf in pcap:
    try:
        eth = dpkt.ethernet.Ethernet(buf)
        ip = eth.data
        if eth.type == dpkt.ethernet.ETH_TYPE_PPPoE_DISC or eth.type == dpkt.ethernet.ETH_TYPE_PPPoE:
            ip = dpkt.pppoe.PPPoE(eth.data)
        if hasattr(eth, 'tag'):
            print("eth tag = %s" %(eth.tag))
    except Exception as dpkterr:
        print("Dpkt exception: %s" %(dpkterr))

This seems to work.

Answer 2

Having a packet with a vlan tag means having at least 2 eth_type fields in the packet. The first would indicate the vlan tag - "802.1Q Virtual LAN (0x8100)" and the second would indicate the underlying layer, in your case - "IPv4 (0x0800)".

In newer dpkt versions (1.8.8, 1.9.2) developers chose to save the first tag as the main one for the packet in eth.type, but they also store all underlying tag types in a list - eth.vlan_tags.

So in your case you would find eth.vlan_tags[0].type == dpkt.ethernet.ETH_TYPE_IP