Converted from SourceForge issue 2693245, submitted by linkj

When using the 'vlan' filter expressions I found the order in which the 'vlan' filter is placed matters. That is, 'vlan and icmp' will yield different results from 'icmp and vlan'. I have never seen this problem with any other combination of BPF filter expressions for tcpdump, only with the 'vlan' expression in combination with other expressions. See below for an example.

# tcpdump  -nn -t -r sample.pcap 'vlan and icmp'
reading from file sample.pcap, link-type EN10MB (Ethernet)
IP 131.151.6.171 > 131.151.32.129: ICMP echo request, id 53249, seq 33054, length 1477
IP 131.151.32.129 > 131.151.6.171: ICMP echo reply, id 53249, seq 33054, length 1477
IP 131.151.32.21 > 131.151.32.129: ICMP echo request, id 44866, seq 22307, length 1480
IP 131.151.32.129 > 131.151.32.21: ICMP echo reply, id 44866, seq 22307, length 1480

# tcpdump  -nn -t -r sample.pcap 'icmp and vlan'
reading from file sample.pcap, link-type EN10MB (Ethernet)
tcpdump: expression rejects all packets

I've seen this problem tcpdump v4.0.0 and earlier versions. I am not sure if this is a libpcap issue, keyboard to floor problem or something to do with how filter expressions are processed inside tcpdump.