Blog‎ > ‎Tech Blog‎ > ‎

VLAN QinQ with tcptrace

posted 31 May 2013, 02:36 by Flip Pipe   [ updated 31 May 2013, 02:38 ]
This week I had a new problem... analyze traffic in VLAN QinQ with tcptrace. I have traffic capture with some hundreds of megabytes and traffic was encapsulated in QinQ.

For tcptrace, this traffic was not recognized, so I cannot analyze it as it was. And from a bunch of vlans I just need to analyze one of them, in my case 1901.

Googgling during some time I didn't find my answer, so I need to create a work around.

Since libpcap 1.2.1, it is possible to filter traffic in vlan QinQ. So I just need to replay the traffic and with tcpdump just capture the vlan I need.

But, if I replay the traffic for my NIC, the results shouldn't be good and I didn't try.

But fortunately, we can create a dummy interface. (Thank you Kenyan Geek for your post)

So I did it... a new dummy0 interface in my machine with problems to mess with real traffic.

In one side I replay the capture file I had:

# tcpreplay --intf1=dummy0 capture-001-20130529-125129-eth1_2.cap

And one the other side, I just need to capture with the right filter:

# tshark -i dummy0 -w /tmp/test_03_tshark.pcap "vlan 313 && vlan 1901"

In the end, I've a capture with just with the vlan I need

Of course, tcptrace still not recognize the QinQ, but now, we just need to remove vlan information with tcprwrite

# tcprewrite --enet-vlan=del -i test_03_tshark.pcap -o capture_clean_vlans.pcap

and voilá...

If you need tcpreplay and friends (tcprewrite), you can find it at And tcptrace it is at