This one time, at band camp, Wim Kerkhoff wrote: >Recently I ran into an interesting but frustrating problem when trying >to perform traffic accounting on a VLAN trunk port on a Linux 2.6 router. > >Using libpcap tools like tcpdump, tethereal, and pmacctd to sniff >traffic on the physical ethernet port where 802.1Q trunking is enabled >will simply NOT work. > >The only traffic that will be seen on ethX is traffic originating >(FORWARD or OUTPUT packets) from the router to the wire - no input >frames are ever seen. Somehow between the e1000 driver and the network >card, the VLAN tags are stripped from the frames and sent directly to >the virtual interfaces (vlanX). > >The Windows Intel gigE drivers have a work around: >http://support.intel.com/support/network/sb/cs-005897.htm > >... but I haven't been able to find a working Linux equivalent. Ben >Grear (802.1Q for Linux developer) has a kernel patch to make VLAN >Filtering an option using ethtool, but I couldn't get it to work. After >a whole bunch of research, poking around in network drivers, reading >EEPROM specs from Intel, testing, and so on, I ended up moving the VLAN >trunk from the e1000 card to an e100 card... works great now! > >So if IP accounting is required on a gigabit VLAN enabled Linux router, >either a seperate port mirror is required, or use a non-e1000 driver >such as the Broadcom gigabit ones. > >On other problem I ran into is that sniffing eth0 for VLAN packets with >other filtering criteria wouldn't work with a freshly compiled libpcap & >tcpdump (latest versions). It kept complaining that the filter discarded >all traffic. Same filter string worked fine with the Debian packages for >libpcap & tcpdump.
I've got 'vlan and ...' in my pcap_filter variable, and that works.
