Why won't tcpdump capture any traffic when specifying a port and interface that is on a VLAN?

Solution Verified - Updated 6 Aug 2024

Environment

Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6

Issue

tcpdump does not capture any traffic when specifying a specific port and interface with the -i option.

Resolution

Ensure the interface is not on a VLAN; if it is, add the VLAN option like so:

# tcpdump -i eth0 vlan and tcp port 22

Without expressly specifying the interface is on a VLAN, tcpdump will not capture any port specific information, and will return with no information.

Root Cause

The default behavior of tcpdump is to promiscuously capture all incoming traffic; when specifying specific interfaces that are located on a VLAN, and then further specifying a port to capture on, it will discard incoming packets as they do not strictly match the criteria for capture. The above command ensures that the interface will capture only packets that contain VLAN information and the specified port information.

Diagnostic Steps

Check to the switch in which the system is connected to tell if VLAN tagging is enabled and in use.
Check your network configuration scripts located in /etc/sysconfig/network-scripts for the "VLAN=yes" tag, which will indicate that interface is on a VLAN.

SBR

Networking

Product(s)

Red Hat Enterprise Linux

Components

kernel

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.