First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

capture filter "vlan and stp" showing nothing

  • retag add tags

What am I doing wrong? I have a dot1q trunk and am trying to capture stp traffic only. I use the filter "vlan and stp" and get nothing. but if I capture traffic with no capture filter and use "stp" as a display filter I see all the stp packets with their 802.1q tags.

all the traffic on this trunk is 802.1q tagged ...

thanks for any help ... I'm a noob. ;-)

surenets's avatar
1
surenets
asked 2019-03-06 00:50:31 +0000
edit flag offensive 0 remove flag close merge delete

Comments

update:

  1. vlan part of the filter works ... I sniffed without tags and capture of stp still doesn't work
  2. stp packets I'm seeing are pvst stuff, display filter recognizes them
  3. the BPF code lets me know that the capture filter doesn't recognize this form of stp:

(000) ldh [12]

(001) jgt #0x5dc jt 5 jf 2 (checks that the packets are 1500 bytes or less)

(002) ldb [14]

(003) jeq #0x42 jt 4 jf 5 (spanning tree SAP)

(004) ret #262144

(005) ret #0

but the packets for RPVST have SNAP PID of 0x010B

I'm guessing, but is there a way to capture filter based on the SNAP PID?

Apparently the display filtering system knows how to do it, but the capture filtering doesn't.

surenets's avatar surenets (2019-03-06 03:34:45 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

libpcap's BPF compiler doesn't generate code to test for (R)PVST+, as per libpcap issue #678. There isn't a convenient way to test for that; you'd have to use the expr relop expr mechanism in the pcap filter language to test for it - and you'd have to take the VLAN header's presence into account.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-03-06 11:25:26 +0000
edit flag offensive 0 remove flag delete link
more

Comments

thank you ... I added a filter "vlan and ether[18:2]=0xaaaa" and limited my capture to SNAP and that's good enough for what I'm doing.

surenets's avatar surenets (2019-03-06 18:51:52 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer