tcpdump 802.1q errata

  • Mon 20 October 2014
  • misc

I've only tested this on MacOSX 10.9 (Mavericks), but tcpdump(1) exhibits some slightly odd behavior wrt decoding packets that are sniffed from a vlan trunk (i.e. 802.1q encapsulated).

To wit, if you do a tcpdump with no flags, along the lines of:

tcpdump -n -s 1500 -i en0

you see all the packets. But suppose you want to filter and only see one host, you try:

tcpdump -n -s 1500 -i en0 host

No packets found even though there are plenty whizzing by with that host address. Same thing works for filtering by port or whatever.

The trick is to provide a vlan that the traffic of interest is on, such as:

tcpdump -n -s 1500 -i en0 vlan 10 and host

That seems to do the job. It's interesting that the prettyprinter knows how to figure out whether the encapsulation is 802.1q or not and DTRT, but that the filtering mechanism does not. I think that it might be reasonable for the default behavior to be otherwise... but retain the ability to put it back.