Tcpdump 802.1q vlan network sniff
Bir çok sniffer vlan tag’lerini ayrıştıramadığı için vlan networklerde sıkıntı yaratabiliyor. bknz. httpry, urlsnarf vs.
Tcpdump ile vlan networkleri sniff etmek için “vlan” parametresi kullanılabilir.
coslat@ubuntucuk:~$ sudo tcpdump -i eth0 vlan and tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:59:43.054948 vlan 12, p 0, IP 192.168.2.20.1390 > 193.140.115.119.www: Flags [P.], seq 813912607:813913122, ack 1415196208, win 65535, length 515
10:59:43.055071 vlan 12, p 0, IP 192.168.2.20.1390 > 193.140.115.119.www: Flags [P.], seq 515:1279, ack 1, win 65535, length 764
10:59:43.055116 vlan 16, p 0, IP 192.168.2.20.1390 > 193.140.115.119.www: Flags [P.], seq 0:515, ack 1, win 65535, length 515
10:59:43.055260 vlan 16, p 0, IP 192.168.2.20.1390 > 193.140.115.119.www: Flags [P.], seq 515:1279, ack 1, win 65535, length 764
Layer 2 başlık bilgilerini görüntülemek için “-e” parametresi kullanılabilir ;
coslat@ubuntucuk:~$ sudo tcpdump -e -i eth0 vlan and tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:00:51.589185 00:1d:7d:3b:00:4b (oui Unknown) > 00:11:bb:e0:7b:10 (oui Unknown), ethertype 802.1Q (0x8100), length 1518: ethertype IPv4, 88.255.41.21.www > 192.168.2.8.1291: Flags [.], seq 1826901155:1826902615, ack 303813320, win 65535, length 1460
11:00:51.589567 00:11:bb:e0:7b:10 (oui Unknown) > 00:19:66:f7:1b:48 (oui Unknown), ethertype 802.1Q (0x8100), length 1518: ethertype IPv4, 88.255.41.21.www > 192.168.2.8.1291: Flags [.], seq 0:1460, ack 1, win 65535, length 1460