If you tcpdump on interface that mirrored port (span port) from another port on switch. Please check that port is access port or trunk port ( tagged VLAN 802.1Q) because if it is trunk port you must specific “vlan” macro in the filtering system of tcpdump command
Prerequisite settings (CentOS)
eth1 – the interface that plugged on mirrorred port
1 2 3 4 5 |
[root@localhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth1 # add this line PROMISC=yes |
1 2 3 |
[root@localhost ~]# service network restart |
or change dynamic via ifconfig command
1 2 3 |
[root@localhost ~]# ifconfig eth1 promisc |
The basic command to filter only ip 10.10.10.10
1 2 3 |
[root@localhost ~]# tcpdump -nn -i eth1 host 10.10.10.10 |
It does not print any output. I can verify that traffic exists for that host 10.10.10.10 by doing:
1 2 3 |
[root@localhost ~]# tcpdump -nn -i eth1 |grep 10.10.10.10 |
This does in fact produce the results I want, but is not a good workaround because tcpdump so useful is the highly complex filtering language available. why not used it ?
Let’s now take a look at what happens to the Ethernet frame header when it have the VLAN tag information. So from this picture let we begin to understand our problem. We are dealing with an off-by-4 byte error (red rectangle in picture)
What we is filtering only for packets containing a VLAN tag and either of the IP address 10.10.10.10.
By explicitly applying the vlan macro the filtering system will properly detect the VLAN header and account for it when processing the other embedded protocols. It is worth noting that this will only match on packets that contain the VLAN header.
If you want to get generic solution, say you don’t know or your capture contains a mix of packets that may or may not have a VLAN tag, you can writing your filter to do something like below
1 2 3 |
[root@localhost ~]# tcpdump -nn -i eth1 'host 10.10.10.10 or ( vlan and host 10.10.10.10 )' |
Finding out that VLANs are used on networks that you’re dealing with, and if the infrastructure is any more complicated than a 10 admin it probably does, or don’t want to ask network guy, has some pretty far reaching consequences.
1 2 3 |
[root@localhost ~]# tcpdump -nn -i eth1 -e vlan |
option : -e Print the link-level header on each dump line.
From above if you known exactly vlan id is 111, so you can write the macro as below
1 2 3 |
[root@localhost ~]# tcpdump -nn -i eth1 'host 10.10.10.10 or ( vlan 111 and host 10.10.10.10 )' |
Resource :
http://commons.wikimedia.org/wiki/File:TCPIP_802.1Q.jpg ( Full size of Ethernet 802.1Q )