Wireshark-users: Re: [Wireshark-users] pcap / winpcap filters
From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 29 Apr 2010 19:16:05 +0200
Nope, the pcap filtering just checks each packets against the filter that you supply. It does not care about the interface configuration (it is not even necessary to have IP enabled on the capturing interface). Back to your problem. If I read the mails correctly, if you do *not* use a filter, you see all the packets *including* the DNS and SIP packets that you are interested in. If you *do* use a filter that should match the DNS and SIP traffic, then the packets somehow do not show up in the trace file. If this is correct, would it be possible for you to post a small capture file (made without filter) that has DNS and SIP packets in it? This would make analyzing your issue a lot easier. Cheers, Sake On 29 apr 2010, at 18:46, marco@xxxxxxxxxx wrote: > Dear Sake, > I check it also and that's not the issue ..... > I think that the pcap / winpcap filter works only if the packets source or destination ip is in the ethernet inteface subnet range. If it isn't the pcap will discard it without checking it's content. Could be ? > > Regards, > Marco > > > > Da: wireshark-users-bounces@xxxxxxxxxxxxx > A: "Community support list for Wireshark" wireshark-users@xxxxxxxxxxxxx > Cc: > Data: Thu, 29 Apr 2010 17:46:18 +0200 > Oggetto: Re: [Wireshark-users] pcap / winpcap filters > > > My guess would be that all traffic is vlan-tagged on the mirror port. Could you try the filter "vlan and (port 53 or port 5060)"? > > > > See also: http://wiki.wireshark.org/CaptureSetup/VLAN#head-6bf591391ffef059629a9eede2b4a3d83fdb215d > > > > Cheers, > > > > > > Sake > > > > > > On 29 apr 2010, at 15:37, marco@xxxxxxxxxx wrote: > > > > > Hi Lars, > > > if I do not add any filter I can capture all the traffic ( that do not match as source / destination or both ) the mirroring port send me. While if I enable a filter ( like "igmp" for example )I can only see the traffic that can be accepted by the subnet I configure on my eth interface ..... > > > > > > Regards, > > > Marco > > > > > > > > > Da: wireshark-users-bounces@xxxxxxxxxxxxx > > > A: "Community support list for Wireshark" wireshark-users@xxxxxxxxxxxxx > > > Cc: > > > Data: Thu, 29 Apr 2010 15:03:20 +0200 > > > Oggetto: Re: [Wireshark-users] pcap / winpcap filters > > > > > > > Hi, > > > > That's not a problem. In **promsicous mode** (checked?), you will see any traffic coming out of the mirror port, regardless if it's on your local subnet or not. > > > > Have you tried sniffing without any filter? Do you see the traffic of the other subnet then? > > > > I suspect your problem is more related to your port mirroring setup than to Wireshark filters. > > > > > > > > Regards, > > > > Lars Ruoff > > > > > > > > > > > > ________________________________________ > > > > From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of marco@xxxxxxxxxx > > > > Sent: jeudi 29 avril 2010 14:49 > > > > To: wireshark-users@xxxxxxxxxxxxx > > > > Subject: Re: [Wireshark-users] pcap / winpcap filters > > > > > > > > Hi, > > > > yes, that's what I did in the past but if I use this filter string I can only get the packet that lookup on my ethernet interface .... while I need to see all the packets that are not send to / comes from my eth interface subnet . > > > > > > > > I did a port mirroring on a Layer3 switch so on the mirroring port I can see all the packets of some subnet and they will necessary not match my eth interface subnet ..... > > > > > > > > > > > > Thanks ! > > > > Marco > > > > > > > > Da: wireshark-users-bounces@xxxxxxxxxxxxx > > > > A: "Community support list for Wireshark" wireshark-users@xxxxxxxxxxxxx > > > > Cc: > > > > Data: Thu, 29 Apr 2010 14:09:46 +0200 > > > > Oggetto: Re: [Wireshark-users] pcap / winpcap filters > > > > > > > > > Hi, > > > > > > > > > > Would that be a capture filter like: 'port 53 or port 5060' > > > > > > > > > > Thanks, > > > > > Jaap > > > > > > > > > > On Thu, 29 Apr 2010 11:39:17 +0200, "marco\@marcomp\.it" > > > > > wrote: > > > > > > I need to filter some traffic (before capturing it) using the pcap / > > > > > > winpcap filter but this traffic comes from some different subnet ( > > > > > > different from my eth interface subnet ). > > > > > > So if I apply a filter the pcap show me the packet that can lookup on my > > > > > > eth interface only ... > > > > > > How can I get the filtered traffic that comes from "everywhere" > > > > > > (0.0.0.0/0) ? > > > > > > > > > > > > I need to filter the data traffic before sending it to whireshark > > > > > because > > > > > > I only need to check the DNS and SIP traffic for a long time ( may be > > > > > for > > > > > > more than 1 week )... so I don't want to store Gbyte and Gbyte of not > > > > > > helpful data on my pc..... > > > > > > > > > > > > Have you any suggestion ? > > > > > > > > > > > > > > > > > > Marco > > > > > > > > > > > subscribe > > > > > ___________________________________________________________________________ > > > > > Sent via: Wireshark-users mailing list > > > > > Archives: http://www.wireshark.org/lists/wireshark-users > > > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > > > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > > > ___________________________________________________________________________ > > > > Sent via: Wireshark-users mailing list > > > > Archives: http://www.wireshark.org/lists/wireshark-users > > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > > ___________________________________________________________________________ > > > Sent via: Wireshark-users mailing list > > > Archives: http://www.wireshark.org/lists/wireshark-users > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > > > ___________________________________________________________________________ > > Sent via: Wireshark-users mailing list > > Archives: http://www.wireshark.org/lists/wireshark-users > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- Re: [Wireshark-users] pcap / winpcap filters
- From: marco@xxxxxxxxxx
- Re: [Wireshark-users] pcap / winpcap filters
- Prev by Date: Re: [Wireshark-users] pcap / winpcap filters
- Next by Date: Re: [Wireshark-users] measuring latency with wireshark
- Previous by thread: Re: [Wireshark-users] pcap / winpcap filters
- Next by thread: Re: [Wireshark-users] pcap / winpcap filters
- Index(es):
- Get Wireshark
- Download
- Code of Conduct