Stripping VLAN tags in pcap

From WTFwiki
Revision as of 22:47, 4 January 2013 by Jontow (talk | contribs) (1 revision)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This information should work in FreeBSD, OpenBSD, and NetBSD --
I'm not aware of others that use vlan(4) yet.

This solution is gathered from a monitoring host I operate that is on a SPAN port
of a VLAN'd switch that does not remove tags before giving them to the sensor.

This means that when you capture with tcpdump, tshark, etc, you'll have the tags
persisting in your pcap files. A number of analysis programs (tcpflow, tcpxtract, etc)
can't deal with this, since it modifies the offsets it requires and assumes to operate.

To do this, we need "interface cloning" that *BSD provides.

On the sensor, try this:

 # ifconfig vlan0 create
 # ifconfig vlan0 vlan 2500 vlandev fxp0
 # tcpdump -n -s0 -i vlan0 -w no-vlan-tags.cap

This will remove all tags before writing the pcap to disk.