BPF filter for VLAN doesn't work after update from 6.6.0 to 7.8.0

[teoring]

We noticed strange change in the behavior of BPF filter. After the libpcap update we noticed that negative offsets in BPF filter doesn't seem to work anymore.

This is the filter we use to filter on specific VLANs:

'(ether[-4088:4] = 3 and (ether[-4048:1] = 1 and (ether[-4052:1] = 712 or ether[-4052:1] = 713 or ether[-4052:1] = 714 or ether[-4052:1] = 715 or ether[-4052:1] = 717)))' Where "3" in 'ether[-4088:4] = 3' represents an interface index.

With libpcap v1.5.3 this filter was working. We had.

[root@ct-1759 ~]# tcpdump --version
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips  26 Jan 2017

This tcpdump of simple filter on previous version:

With Libpcap v1.9.1 mentioned filter doesn't work anymore.

root@xx-u20:~/Development/zzzz$ sudo tcpdump --version
tcpdump version 4.9.3-fs1
libpcap version 1.9.1 (with TPACKET_V3)
OpenSSL 1.0.2g-fips  1 Mar 2016

This tcpdump of simple filter on new version:

Any idea why we see this change?

[infrastation]

Where did you learn about negative offsets?

[teoring]

I found some threads like this https://github.com/the-tcpdump-group/libpcap/issues/815 where people mentioned that worked as workaround. Is there any other way to filter on multiple vlans like "vlan 20 or vlan 30"?

[infrastation]

Please see the references at the end of Q13 of the FAQ, it might or might not work.