My guess would be that all traffic is vlan-tagged on the mirror port. Could you try the filter "vlan and (port 53 or port 5060)"?
See also: http://wiki.wireshark.org/CaptureSetup/VLAN#head-6bf591391ffef059629a9eede2b4a3d83fdb215d
Cheers,
Sake
On 29 apr 2010, at 15:37, marco@xxxxxxxxxx wrote:
> Hi Lars,
> if I do not add any filter I can capture all the traffic ( that do not match as source / destination or both ) the mirroring port send me. While if I enable a filter ( like "igmp" for example )I can only see the traffic that can be accepted by the subnet I configure on my eth interface .....
>
> Regards,
> Marco
>
>
> Da: wireshark-users-bounces@xxxxxxxxxxxxx
> A: "Community support list for Wireshark" wireshark-users@xxxxxxxxxxxxx
> Cc:
> Data: Thu, 29 Apr 2010 15:03:20 +0200
> Oggetto: Re: [Wireshark-users] pcap / winpcap filters
>
> > Hi,
> > That's not a problem. In **promsicous mode** (checked?), you will see any traffic coming out of the mirror port, regardless if it's on your local subnet or not.
> > Have you tried sniffing without any filter? Do you see the traffic of the other subnet then?
> > I suspect your problem is more related to your port mirroring setup than to Wireshark filters.
> >
> > Regards,
> > Lars Ruoff
> >
> >
> > ________________________________________
> > From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of marco@xxxxxxxxxx
> > Sent: jeudi 29 avril 2010 14:49
> > To: wireshark-users@xxxxxxxxxxxxx
> > Subject: Re: [Wireshark-users] pcap / winpcap filters
> >
> > Hi,
> > yes, that's what I did in the past but if I use this filter string I can only get the packet that lookup on my ethernet interface .... while I need to see all the packets that are not send to / comes from my eth interface subnet .
> >
> > I did a port mirroring on a Layer3 switch so on the mirroring port I can see all the packets of some subnet and they will necessary not match my eth interface subnet .....
> >
> >
> > Thanks !
> > Marco
> >
> > Da: wireshark-users-bounces@xxxxxxxxxxxxx
> > A: "Community support list for Wireshark" wireshark-users@xxxxxxxxxxxxx
> > Cc:
> > Data: Thu, 29 Apr 2010 14:09:46 +0200
> > Oggetto: Re: [Wireshark-users] pcap / winpcap filters
> >
> > > Hi,
> > >
> > > Would that be a capture filter like: 'port 53 or port 5060'
> > >
> > > Thanks,
> > > Jaap
> > >
> > > On Thu, 29 Apr 2010 11:39:17 +0200, "marco\@marcomp\.it"
> > > wrote:
> > > > I need to filter some traffic (before capturing it) using the pcap /
> > > > winpcap filter but this traffic comes from some different subnet (
> > > > different from my eth interface subnet ).
> > > > So if I apply a filter the pcap show me the packet that can lookup on my
> > > > eth interface only ...
> > > > How can I get the filtered traffic that comes from "everywhere"
> > > > (0.0.0.0/0) ?
> > > >
> > > > I need to filter the data traffic before sending it to whireshark
> > > because
> > > > I only need to check the DNS and SIP traffic for a long time ( may be
> > > for
> > > > more than 1 week )... so I don't want to store Gbyte and Gbyte of not
> > > > helpful data on my pc.....
> > > >
> > > > Have you any suggestion ?
> > > >
> > > >
> > > > Marco
> > > >
> > > subscribe
> > > ___________________________________________________________________________
> > > Sent via: Wireshark-users mailing list
> > > Archives: http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> > ___________________________________________________________________________
> > Sent via: Wireshark-users mailing list
> > Archives: http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
