https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5932
Summary: MAC address capture filter doesn't work on
1.7.0-SVN-37265
Product: Wireshark
Version: 1.7.x (Experimental)
Platform: x86
OS/Version: Windows Vista
Status: NEW
Severity: Normal
Priority: Medium
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: Jim@xxxxxxxxxxxxxxxxx
Build Information:
Version 1.7.0-SVN-37265 (SVN Rev 37265 from /trunk)
Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (32-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version
unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3,
with
Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
May
18 2011), with AirPcap.
Running on 32-bit Windows Vista Service Pack 2, build 6002, with WinPcap
version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap, from the
PortableApps U3 device in drive L:.
Built using Microsoft Visual C++ 9.0 build 21022
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
I wanted to capture traffic to and from a PC with IP address of 192.168.1.61,
but I needed to do the capturing from a different PC with IP address
192.168.1.3. I used port mirroring on my switch to forward all traffic to and
from the port that .61 was plugged into, to the port that .3 was plugged into.
.61 was downloading Microsoft Windows updates, and .3 was streaming video, so
both PCs had significant traffic to/from the Internet, but they were not
communicating with each other.
In order to only see traffic to and from .61, even though I was capturing on
.3, I applied the following capture filter: "ether host 00:0c:6e:b4:b7:15"
where "00:0c:6e:b4:b7:15" is the MAC address of .61. In spite of the capture
filter, I saw traffic to/from both PCs.
I then back-revved the version of Wireshark on my hard drive from
1.7.0-SVN-37265 to 1.6.0rc1.
I ran the capture again with the same capture filter applied, and this time saw
only traffic to/from 192.168.1.61. Traffic from 192.168.1.3 was excluded.
Next I ran the 1.6.0rc1 version installed on my hard drive simultaneously with
the 1.7.0-SVN-37265 portable apps version installed on my USB flash drive, both
on the same PC. I applied the same capture filter to both.
1.6.0rc1 showed only traffic to/from 192.168.1.61, and excluded 192.168.1.3.
1.7.0-SVN-37265 had traffic to/from both systems.
After capturing 20,000 packets in each instance of Wireshark, I applied the
following display filter to both instances to see how much traffic from
192.168.1.3 was mixed in: "!(ip.addr==192.168.1.3)"
1.6.0rc1 showed 20,000 packets captured and 20,000 packets displayed.
1.7.0-SVN-37265 showed 20,000 packets captured and 11,049 packets displayed. It
appears that 1.7.0-SVN-37265 is simply not excluding frames in accordance with
the capture filter.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
