Re: tcpdump/bpf and seeing .1q tags

• Previous message: Qukasz_Bromirski?=: "Re: ipfilter 4.1.6 won't build on FreeBSD5.3 amd64 (fwd)"
• In reply to: Charlie Schluting: "Re: tcpdump/bpf and seeing .1q tags"
• Next in thread: Charlie Schluting: "Re: tcpdump/bpf and seeing .1q tags"
• Reply: Charlie Schluting: "Re: tcpdump/bpf and seeing .1q tags"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 9 Mar 2005 14:05:46 -0800 (PST)
To: Charlie Schluting <charlie@schluting.com>

On Wed, 9 Mar 2005, Charlie Schluting wrote:

> Charlie Schluting wrote:
> > Charles Swiger wrote:
> >
> >> On Mar 9, 2005, at 2:22 PM, Charlie Schluting wrote:
> >>
> >>> More importantly, I'm trying to figure out if a bpf read will see
> >>> them as well. Any insight on this?
> >>
> >>
> >>
> >> Yes, or it will if you use promisc mode and an appropriate BPF filter:
> >>
> >
> > So promisc is enabled in my case.
> >
> > This seems to imply that the bpf will always see the vlan tags. (I don't
> > want to.. that was the point of my question)
> >
> > I believe this is starting to make sense. Thanks for your reply.
>
> Oh! Er.. I hit send too fast.
>
> So a BPF is supposed to ignore vlan tags unless 'vlan' is specified??
>

  Worse: tcpdump has not idea there is a tag on the packet causing any
other filters to compare against the wrong data in the packet. For this
reason, if you are going to run tcpdump on a parent interface, you need
to either specify no filter criteria or else specify the 'vlan' keyword
so tcpdump knows what it is getting.
  You'll have a similar issue with BPF programs you write: you'll either
need to skip over the vlan tag header or not, depending on whether you
snagged the packet from the parent interface or the vlan interface.

  Kelly

--
Kelly Yancey  -  kbyanc@{posi.net,FreeBSD.org}  -  kelly@nttmcl.com
"And say, finally, whether peace is best preserved by giving energy to the
 government or information to the people.  This last is the most certain and
 the most legitimate engine of government."
	-- Thomas Jefferson to James Madison, 1787.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Qukasz_Bromirski?=: "Re: ipfilter 4.1.6 won't build on FreeBSD5.3 amd64 (fwd)"
• In reply to: Charlie Schluting: "Re: tcpdump/bpf and seeing .1q tags"
• Next in thread: Charlie Schluting: "Re: tcpdump/bpf and seeing .1q tags"
• Reply: Charlie Schluting: "Re: tcpdump/bpf and seeing .1q tags"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: [was] addition to ipfw (read vlans from bridge).. ... into the packet as well as the packet, then yes I like that idea, ... At the moment I plan the ipfw code to be unaware of vlan headers. ... What we need to do is make a convention so that vlan tags are always ... (freebsd-net) expected behavior of PF_PACKET on NETIF_F_HW_VLAN_RX device? ... the complete packet with vlan tag included as the driver simply calls ... thing vlan tag included and sends this through the socket. ... The packet socket gets everything including the vlan tag as I'd ... (Linux-Kernel) Re: addition to ipfw.. ... I would like to add something similar in the case where a vlan ... tag is also on the packet.. ... Then the vlan header is also held back so that the packet can be ... This allows me to filter packets that are traversing my bridge, ... (freebsd-net) Re: addition to ipfw.. ... I would like to add something similar in the case where a vlan ... tag is also on the packet.. ... Then the vlan header is also held back so that the packet can be ... The ipfw will be ignoring the vlan contents.. ... (freebsd-net) Re: addition to ipfw.. ... I would like to add something similar in the case where a vlan tag ... is also on the packet.. ... Then the vlan header is also held back so that the packet can be ... This allows me to filter packets that are traversing my bridge, ... (freebsd-net)