Wireshark-users: Re: [Wireshark-users] Capture filter
: ketzal devims <ketzaldevims@xxxxxxxxx
: Thu, 24 Sep 2009 16:39:50 +0200
Ok, it work... thanks a lot
that was the simple filter...
The problem now is if I try to remove some packets (like watchdog for diameter and SIP for example)
I know that the paquet SIP and Diameter I would like to remove are 60 or 70 or 142 or 162 byte length
((port 5060 or port 3868) and not len = 70 and not len = 142 and not len = 162) or (vlan and (port 5060 or port 3868))
here, I loose some diameter traffic.
I tried too:
((port 5060 or port 3868) and (not len = 70 or not len = 142 or not len = 162)) or (vlan and (port 5060 or port 3868))
still the same
I'm really bad in boolean tests :(
2009/9/24 Sake Blok <sake@xxxxxxxxxx>
On Thu, Sep 24, 2009 at 03:14:10PM +0200, ketzal devims wrote:Filtering for untagged as well as tagged packets is a little tricky in
> Now if I do
> port 5060 or (vlan and port 5060)) or port 3868 or (vlan and port 3868))
> -> I can capture Diameter for both sides, but SIP only for responses (as
> if the first _expression_ "port 5060" was omitted)...
tcpdump/tshark/wireshark. The thing to remember is that the word vlan in
the capture filter advances the offset into the packet by 4 bytes (the
length of the 802.1q header). The correct way to do this is to first
filter on all non-tagged frames and the filter for the tagged frames
"(port 5060 or port 3868) or (vlan and (port 5060 or port 3868))"
Hope this helps,
PS This is also documented on http://wiki.wireshark.org/VLAN
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>