Filtering tcpdump Capture from File with VLAN

I had written a packet capture with tcpdump into a file for future analysis. The interface the capture was taken on had multiple VLAN’s trunked.

When I got around to analyzing the file, I found I could read the it with no issues at all using no filter:

$ tcpdump -n -r capture.pcap
reading from file capture.pcap, link-type EN10MB (Ethernet), snapshot length 262144
14:12:01.178032 IP 192.0.2.1.11707 > 192.0.2.2.1801: Flags [SE], seq 767283997:767284866, win 63637, length 869
14:12:01.178033 IP 192.0.2.16.444 > 192.0.2.11.54046: Flags [P.], seq 3583119832:3583121080, ack 2104707338, win 62, options [nop,nop,TS val 5855418 ecr 1582215704], length 1248

However, the capture file was quite large and I needed to filter out the noise from the traffic I was interested in. The specific traffic wanted was anything to/from TCP port 1801. When I tried to filter traffic as I would with live captures I didn’t get any output:

$ tcpdump -n -r capture.pcap tcp port 1801
reading from file capture.pcap, link-type EN10MB (Ethernet), snapshot length 262144
$

This is strange, the very first packet in the capture is the traffic I am interested in.

After a a quick search it turns out that when reading from a file the filter needs to be crafted slightly differently, the filter needs to include vlan and ip. This is noted in issue #900 on GitHub.

After changing the filter it indeed worked:

$ tcpdump -n -r capture.pcap vlan and ip and tcp port 1801
reading from file capture.pcap, link-type EN10MB (Ethernet), snapshot length 262144
14:12:01.178032 IP 192.0.2.1.11707 > 192.0.2.2.1801: Flags [SE], seq 767283997:767284866, win 63637, length 869
14:12:01.178041 IP 192.0.2.1.63260 > 192.0.2.2.1801: Flags [SE], seq 4145870849:4145871736, win 61880, length 887
14:12:01.178042 IP 192.0.2.1.47243 > 192.0.2.2.1801: Flags [SE], seq 3096165643:3096166491, win 62558, length 848
14:12:01.178044 IP 192.0.2.1.18821 > 192.0.2.2.1801: Flags [SE], seq 1233498205:1233499056, win 60911, length 851
14:12:01.178045 IP 192.0.2.1.2529 > 192.0.2.2.1801: Flags [SE], seq 165788181:165789036, win 62259, length 855
14:12:01.178057 IP 192.0.2.1.23221 > 192.0.2.2.1801: Flags [SE], seq 1521856057:1521856951, win 62146, length 894
14:12:01.178058 IP 192.0.2.1.55885 > 192.0.2.2.1801: Flags [SE], seq 3662540894:3662541766, win 63325, length 872
14:12:01.178061 IP 192.0.2.1.22577 > 192.0.2.2.1801: Flags [SE], seq 1479637542:1479638406, win 61562, length 864
14:12:01.178080 IP 192.0.2.1.47762 > 192.0.2.2.1801: Flags [SE], seq 3130185539:3130186411, win 64352, length 872
14:12:01.178081 IP 192.0.2.1.21903 > 192.0.2.2.1801: Flags [SE], seq 1435448324:1435449191, win 63483, length 867
14:12:01.178084 IP 192.0.2.1.2866 > 192.0.2.2.1801: Flags [SE], seq 187843130:187844011, win 61741, length 881
14:12:01.178085 IP 192.0.2.1.23550 > 192.0.2.2.1801: Flags [SE], seq 1543390002:1543390871, win 64230, length 869
14:12:01.178092 IP 192.0.2.1.46060 > 192.0.2.2.1801: Flags [SE], seq 3018640133:3018640996, win 65245, length 863

Leave a Reply

Your email address will not be published.