Use (ip and filter) or (vlan and filter)

sensor/pcap_agent.conf

@@ -35,9 +35,6 @@ set RAW_LOG_DIR ${LOG_DIR}/${HOSTNAME}/dailylogs
 # Path to tcpdump. Used for parsing pcap files.
 set TCPDUMP "/usr/sbin/tcpdump"
 
-# If you do VLAN tagging then set this to 1 so the right filter is passed to tcpdump.
-set VLAN 0
-
 # Directory to store the temp pcap files
 set TMP_DIR "/tmp"
 

sensor/pcap_agent.tcl

@@ -298,7 +298,7 @@ proc CheckLastPcapFile { { onetime {0} } } {
 
 proc CreateRawDataFile { TRANS_ID timestamp srcIP srcPort dstIP dstPort proto rawDataFileName type } {
 
-    global RAW_LOG_DIR DEBUG TCPDUMP TMP_DIR VLAN
+    global RAW_LOG_DIR DEBUG TCPDUMP TMP_DIR
 
     set date [lindex $timestamp 0]
 
@@ -426,23 +426,14 @@ proc CreateRawDataFile { TRANS_ID timestamp srcIP srcPort dstIP dstPort proto ra
 
     }
 
-    if { [info exists VLAN] && $VLAN } {
-
-        set tmpFilter "vlan and "
-
-    } else {
-
-        set tmpFilter {}
-
-    }
-
+    # Use ip or vlan for the filter
     if {$proto != "6" && $proto != "17"} {
 
-        set tcpdumpFilter "${tmpFilter}host $srcIP and host $dstIP and proto $proto"
+        set tcpdumpFilter "(ip and host $srcIP and host $dstIP and proto $proto) or (vlan and host $srcIP and host $dstIP and proto $proto)"
 
     } else {
 
-        set tcpdumpFilter "${tmpFilter}host $srcIP and host $dstIP and port $srcPort and port $dstPort and proto $proto"
+        set tcpdumpFilter "(ip and host $srcIP and host $dstIP and port $srcPort and port $dstPort and proto $proto) or (vlan and host $srcIP and host $dstIP and port $srcPort and port $dstPort and proto $proto)"
 
     }