Wireshark-users: Re: [Wireshark-users] Filtering both vlan-tagged as untagged frames with an ip-filter

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 01 May 2007 23:52:19 -0700

Sake Blok wrote:

On Tue, May 01, 2007 at 11:38:26PM -0700, Guy Harris wrote:

Sake Blok wrote:

Might this be a WinPcap bug?

Does it count as a bug if it's documented to work that way? :-)

Most definitely not :-)

I'm not saying that's necessarily the *right* behavior, or the *best* behavior - although to have the "obvious" behavior wherein "host x.x.x.x" checks for that host address in all packets, you'd need to check for VLAN packets even if your network isn't using VLANs, which might be considered inefficient - and, as the BPF engine doesn't support loops (at least not in the kernel), to avoid handing code to the kernel that could loop infinitely, there's no way to handle arbitrary numbers of layers of VLAN encapsulation.

So I'm not sure what the "right" behavior would be (short of a hack in the BPF interpreter giving it an instruction to let it look for Ethertypes with an arbitrary number of layers of VLAN encapsulation - which might be the right answer, along the lines of the instructions the BSD/OS people added for chaining through IPv6 headers).