tcpdump 在抓包时使用 libpcap filter 作为过滤,这种过滤语法又叫 BPF 语法,其中可以使用 port num 作为语法过滤指定端口的报文,但是有时会发现,当启用过滤后,反而无法从指定端口抓到包,而没有过滤时却可以看到相关的包

遇到这种问题,可能是由于你监听的网卡是 VLAN,VLAN 网卡在发送报文时会加上一个 VLAN 头来标识,这时需要改变原来的语法,使用 vlan and port num 进行过滤,这样就可以识别出 vlan 报文,进而对报文的端口进行识别。

vlan [vlan_id]

True if the packet is an IEEE 802.1Q VLAN packet. If the optional vlan_id is specified, only true if the packet has the specified vlan_id. Note that the first vlan keyword encountered in an expression changes the decoding offsets for the remainder of the expression on the assumption that the packet is a VLAN packet. The vlan [vlan_id] keyword may be used more than once, to filter on VLAN hierarchies. Each use of that keyword increments the filter offsets by 4.

For example:

vlan 100 && vlan 200

filters on VLAN 200 encapsulated within VLAN 100, and

vlan && vlan 300 && ip

filters IPv 4 protocol encapsulated in VLAN 300 encapsulated within any higher order VLAN.