If you tcpdump on interface that mirrored port (span port) from another port on switch.  Please check that port is access port or trunk port ( tagged VLAN 802.1Q) because if it is trunk port you must specific “vlan”  macro in the filtering system of tcpdump command

Prerequisite settings (CentOS)
eth1 – the interface that plugged on mirrorred port

or change dynamic via ifconfig command

The basic command to filter only ip

It does not print any output. I can verify that traffic exists for that host by doing:

This does in fact produce the results I want, but is not a good workaround because tcpdump so useful is the highly complex filtering language available. why not used it ?

Let’s now take a look at what happens to the Ethernet frame header when it have the VLAN tag information. So from this picture let we begin to understand our problem. We are dealing with an off-by-4 byte error (red rectangle in picture)

802.1Q Ether Frame


What we is filtering only for packets containing a VLAN tag and either of the IP address
By explicitly applying the vlan macro the filtering system will properly detect the VLAN header and account for it when processing the other embedded protocols. It is worth noting that this will only match on packets that contain the VLAN header.

If you want to get generic solution, say you don’t know or your capture contains a mix of packets that may or may not have a VLAN tag, you can writing your filter to do something like below

Finding out that VLANs are used on networks that you’re dealing with, and if the infrastructure is any more complicated than a 10 admin it probably does, or don’t want to ask network guy, has some pretty far reaching consequences.

option :  -e     Print the link-level header on each dump line.

From above if you known exactly vlan id is 111, so you can write the macro as below

Resource : 
http://commons.wikimedia.org/wiki/File:TCPIP_802.1Q.jpg ( Full size of Ethernet 802.1Q )

tcpdump filter not work – why ?