How do I filter double tagged traffic using tcpdump?
January 28, 2014 8:47 AM Subscribe
How do I filter (and capture) by host double vlan tagged (QinQ) traffic using tcpdump?
There's too much data if I just dump everything but I can't figure out how to filter for just a specific host :C
There's too much data if I just dump everything but I can't figure out how to filter for just a specific host :C
This post was deleted for the following reason: poster's request -- jessamyn
Response by poster: Doing 'dst w.x.y.z' doesn't work with my traffic.
It works fine with regular traffic and seems to work with 'vlan nnn and dst w.x.y.z', but '(vlan nnn && vlan mmm) and host w.x.y.z' doesn't work :(
Also it's like 8 gigabytes of data a minute, so I really cannot capture everything.
posted by yeoz at 9:22 AM on January 28, 2014
It works fine with regular traffic and seems to work with 'vlan nnn and dst w.x.y.z', but '(vlan nnn && vlan mmm) and host w.x.y.z' doesn't work :(
Also it's like 8 gigabytes of data a minute, so I really cannot capture everything.
posted by yeoz at 9:22 AM on January 28, 2014
Response by poster: Er, my last comment is weird, and I don't even know how to rewrite it.
(vlan nnn and host w.x.y.z) doesn't work because the traffic I need to capture is double tagged, although that works fine with regular traffic in my network. And I'm not sure how to filter double tagged traffic.
posted by yeoz at 9:44 AM on January 28, 2014
(vlan nnn and host w.x.y.z) doesn't work because the traffic I need to capture is double tagged, although that works fine with regular traffic in my network. And I'm not sure how to filter double tagged traffic.
posted by yeoz at 9:44 AM on January 28, 2014
This thread is closed to new comments.
That said, you can capture traffic from a particular host with something like this:
tcpdump -w comm.pcap -i eth0 dst w.x.y.z and port XX.
A good guide to TCPdump here.
posted by Pogo_Fuzzybutt at 8:59 AM on January 28, 2014