Wireshark-users: Re: [Wireshark-users] Capture filter not working?

From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 19 Nov 2007 23:54:47 +0100

On Mon, Nov 19, 2007 at 02:11:41PM -0800, Trevor Tolk wrote:
> Hmmmm.  Well, I see the problem, though it opens different questions...
> 
> I'm using an HP 2600 series switch.

I'm afraid I don't have any experience with HP switches

> I have 3 vlans, but no ports are
> tagged (they are all untagged).  The monitoring/mirroring port is
> supposed to be on the same vlan as the port you are monitoring.  It
> wasn't.  When I used the filter "vlan and host 65.98.143.227" it worked.

Great! :-)

> So then I got rid of it and capture filter and verified that indeed the
> packets were all being sent, but were tagged.  Does that mean that all
> ports are sending out packets for all vlans but they're tagged, or it's
> sending tagged packets on the monitoring port even if it's not in the
> same vlan on the port being monitored?

I guess that depends on the siwtch brand/model/sw-version. All switches
that I know of tag frames once they ingress the switch (they need to
know which vlan a frame came in on). Then they switch them to the 
correct egress port(s) and strip the tag if it's an untagged port.

It could be that port-mirroring comes in before the "untagging" on a 
HP switch.

I have also seen switches that leave the tag only on one direction
which makes filtering even harder. You end up using something like
"host x.x.x.x or (vlan and host x.x.x.x)"

(see also: http://wiki.wireshark.org/CaptureSetup/VLAN )


> Anyway, you answered my question!  Thanks some much Sake!

You're welcome :-)


Sake