tcpdump doesn't show VLAN IDs
tcpdump ion current Debian testing does not show the VLAN ID in 802.1q
tagged Ethernet frames.
I have observed this using two machines:
(A) Linux-2.4.34.4, almost everything compiled on my own from scratch
tcpdump-3.9.5 and libpcap 0.9.5
(B) Debian testing, up to date, kernel 2.6.18-4-686, tcpdump 3.9.5 and
libpcap 0.9.5.
I have configured VLAN 100 on both machines using vconfig add eth0 100,
have set addresses 172.16.6.1/24 and 172.16.6.2/24 resp. to eth0.100
interfaces, and have set the interfaces up. The VLAN works.
But if I run tcpdump on eth0 on the Debian machine, it doesn't show me
the VLAN ID.
On (A) I do
ping -c1 172.16.6.2
and I run tcpdump on both machines on interface eth0:
host-A # tcpdump -ne -i eth0 -xx not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:55:48.128953 00:00:d1:9d:7b:a8 > 00:90:27:8f:dc:65, ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, 172.16.6.1 > 172.16.6.2: ICMP echo request, id 44817, seq 0, length 64
0x0000: 0090 278f dc65 0000 d19d 7ba8 8100 0064
0x0010: 0800 4500 0054 0000 4000 4001 d685 ac10
0x0020: 0601 ac10 0602 0800 dd63 af11 0000 444f
0x0030: 6546 d5f1 0100 0809 0a0b 0c0d 0e0f 1011
0x0040: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021
0x0050: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031
13:55:48.129669 00:90:27:8f:dc:65 > 00:00:d1:9d:7b:a8, ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, 172.16.6.2 > 172.16.6.1: ICMP echo reply, id 44817, seq 0, length 64
0x0000: 0000 d19d 7ba8 0090 278f dc65 8100 0064
0x0010: 0800 4500 0054 d656 0000 4001 402f ac10
0x0020: 0602 ac10 0601 0000 e563 af11 0000 444f
0x0030: 6546 d5f1 0100 0809 0a0b 0c0d 0e0f 1011
0x0040: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021
0x0050: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031
host-B (Debian) # tcpdump -ne -xx -i eth0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:55:48.127450 00:00:d1:9d:7b:a8 > 00:90:27:8f:dc:65, ethertype 802.1Q (0x8100), length 102: ethertype IPv4, 172.16.6.1 > 172.16.6.2: ICMP echo request, id 44817, seq 0, length 64
0x0000: 0090 278f dc65 0000 d19d 7ba8 8100 0064
^^^^^^^^^
0x0010: 0800 4500 0054 0000 4000 4001 d685 ac10
0x0020: 0601 ac10 0602 0800 dd63 af11 0000 444f
0x0030: 6546 d5f1 0100 0809 0a0b 0c0d 0e0f 1011
0x0040: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021
0x0050: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031
13:55:48.127546 00:90:27:8f:dc:65 > 00:00:d1:9d:7b:a8, ethertype 802.1Q (0x8100), length 102: ethertype IPv4, 172.16.6.2 > 172.16.6.1: ICMP echo reply, id 44817, seq 0, length 64
0x0000: 0000 d19d 7ba8 0090 278f dc65 8100 0064
^^^^^^^^^
0x0010: 0800 4500 0054 d656 0000 4001 402f ac10
0x0020: 0602 ac10 0601 0000 e563 af11 0000 444f
0x0030: 6546 d5f1 0100 0809 0a0b 0c0d 0e0f 1011
0x0040: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021
0x0050: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031
As you can see, the self-compiled tcpdump shows the VLAN tag, i.e.
"vlan 100, p 0" while the Debian version does not, although it sees
the complete ethernet frame header including the VLAN tag (marked
with ^^^^^^^^^ in the hexdump) and it shows that it is a VLAN tagged
frame.
Has Debian patched the tcpdump src or is this a bug?
urs
Reply to: