On Feb 1, 2013, at 4:49 AM, Bill Fenner <fen...@aristanetworks.com> wrote:
> We have wanted to fix the vlan support ever since it was added.
The "vlan" keyword serves two purposes:
1) matching VLAN-encapsulated packets or VLAN-encapsulated packets on a
particular VLAN;
2) handling the extra MAC-layer header length due to the VLAN header.
That's also the case for "pppoed" and "mpls".
2), in the best of all possible worlds, would be done by having filter programs
that can, without much performance penalty, check for higher-level protocol
types in the presence of
VLAN/MPLS/PPPoE/GTP/fill-in-your-encapsulation-layering headers, so that "tcp
port 80" would find all packets on the network that are going to or from TCP
port 80, regardless of how IP is encapsulated. If you wanted only
VLAN-encapsulated packets going to or from TCP port 80, you'd do "vlan and tcp
port 80"; if you only wanted *non*-VLAN-encapsulated packets going to or from
TCP port 80, you'd do "not vlan and tcp port 80". "vlan" (and "pppoed" and
"mpls") would only handle 1) (and its equivalents).
Unfortunately, that requires changes to the machine code language for filter
programs, so you'd have to somehow deal with systems where the kernel has a
filtering engine but it doesn't support those changes.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
