How to capture mixture of packets with and without VLAN tag over LACP with tcpdump?

Question

Given following configuration in Linux:

• bond0 in LACP (802.3ad) mode with two VLAN networks running over it.
• bond0.111 configured with static IP
• bond0.222 configured with DHCP

How to capture packets from bond0 so that I can see if ARP response packets have the correct VLAN tags? If I do

sudo tcpdump -vvv -i bond0 -U -l -n

I get all packets (including LACP syncronization), but no packet will contain info about VLAN tag so I cannot know which network they belong to.

If I do

sudo tcpdump -vvv -i bond0 -U -l -n -e vlan

instead, I get all packets containing a VLAN tag but I lose all packets that have no VLAN tag.

How to run tcpdump so that I can see all packets (including LACP syncronization, ARP requests without VLAN tags and ARP requests with VLAN tags) including (but not requiring) the used VLAN tag values?

I hit this issue while diagnosing an issue where networking failed because the switch was incorrectly configured and it dropped VLAN tags from all packets in VLAN 111. In Cisco parlance, the VLAN 111 was accidentally configured as "native vlan". If I had been able to see all the traffic from the start, it would have been much easier to diagnose the problem.

I know that the traffic is low enough not to fill the buffer (-B flag for tcpdump) so I'm not losing packets because of running out of buffer space.

Answer 1

The -e flag doesn't work this way. When you write

tcpdump .... -e vlan

it doesn't mean "show vlan tag if available". It means "show link-level header" and "show only packets that match expression vlan". The flag -e does not take an argument!

So the correct command for capturing everything is

sudo tcpdump -vvv -i bond0 -U -l -n -e