Using Tcpdump’s -d option to understand how Berkeley Packet Filter syntax works, you can create a BPF that would catch traffic whether or not it had VLAN tags. The first accomplishes our goal, but the second does not. The other option is the other option: Load the half word at offset 12. If it’s the IP Ethertype, you get the whole packet. If that half word is an IP ethertype (which it won’t be), you get a whole packet. Otherwise, return nothing.”]
Source: https://taosecurity.blogspot.com/2008/12/bpf-for-ip-or-vlan-traffic.html