From owner-freebsd-net@FreeBSD.ORG Wed Mar 9 21:03:11 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D9B416A4CE for ; Wed, 9 Mar 2005 21:03:11 +0000 (GMT) Received: from ylpvm29.prodigy.net (ylpvm29-ext.prodigy.net [207.115.57.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6758243D2D for ; Wed, 9 Mar 2005 21:03:10 +0000 (GMT) (envelope-from kbyanc@posi.net) Received: from gateway.posi.net (adsl-67-124-96-122.dsl.snfc21.pacbell.net [67.124.96.122])j29L2kRs025549; Wed, 9 Mar 2005 16:02:46 -0500 Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (Postfix) with ESMTP id 38D6B75E05F; Wed, 9 Mar 2005 14:05:47 -0800 (PST) Date: Wed, 9 Mar 2005 14:05:46 -0800 (PST) From: Kelly Yancey To: Charlie Schluting In-Reply-To: <422F5D66.6020808@schluting.com> Message-ID: <20050309135422.C13519@gateway.posi.net> References: <20050309111759.O97008@schluting.com> <3aa4b0ab62a3d4855fdc62383a77b9d5@mac.com> <422F5CF6.9070906@schluting.com> <422F5D66.6020808@schluting.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: net@freebsd.org Subject: Re: tcpdump/bpf and seeing .1q tags X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2005 21:03:11 -0000 On Wed, 9 Mar 2005, Charlie Schluting wrote: > Charlie Schluting wrote: > > Charles Swiger wrote: > > > >> On Mar 9, 2005, at 2:22 PM, Charlie Schluting wrote: > >> > >>> More importantly, I'm trying to figure out if a bpf read will see > >>> them as well. Any insight on this? > >> > >> > >> > >> Yes, or it will if you use promisc mode and an appropriate BPF filter: > >> > > > > So promisc is enabled in my case. > > > > This seems to imply that the bpf will always see the vlan tags. (I don't > > want to.. that was the point of my question) > > > > I believe this is starting to make sense. Thanks for your reply. > > Oh! Er.. I hit send too fast. > > So a BPF is supposed to ignore vlan tags unless 'vlan' is specified?? > Worse: tcpdump has not idea there is a tag on the packet causing any other filters to compare against the wrong data in the packet. For this reason, if you are going to run tcpdump on a parent interface, you need to either specify no filter criteria or else specify the 'vlan' keyword so tcpdump knows what it is getting. You'll have a similar issue with BPF programs you write: you'll either need to skip over the vlan tag header or not, depending on whether you snagged the packet from the parent interface or the vlan interface. Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com "And say, finally, whether peace is best preserved by giving energy to the government or information to the people. This last is the most certain and the most legitimate engine of government." -- Thomas Jefferson to James Madison, 1787.