I'm running ethereal 0.10.9 on an interface attached
to a mirror port on a switch. I can capture data just
fine if I do a capture by interface for the interface
on the mirrored port. However, if I want to do any
type of capture filter then nothing will capture.
For example, I do an interface capture on the mirrored
interface, eth1, and see that there is a LOT of
traffic to IP address 1.2.3.4 so I attempt to do a
capture (on the mirrored interface, eth1) with a
capture filter of "host 1.2.3.4" and get nothing.
I've tried starting ethereal with "-i eth1" with the
same results.
I suspect this is actually not an ethereal issue, as
tcpdump exhibits the same behavior. "tcpdump -i eth1"
returns all expected traffic (including LOTS of
traffic to 1.2.3.4) but "tcpdump -i eth1 host 1.2.3.4"
returns nothing no matter how long I wait (although
upon ctrl-c it does report packets received by
filter).
In both cases I can capture traffic to and from the
local host on the other nic (eth0) using filters.
I'm running ethereal 0.10.9, tcpdump 3.8.3, and
libpcap 0.8 on linux (Debian/testing) (all are Debian
packages, nothing custom built) with kernel 2.6.10.
The nic on the mirror port is an Intel pro/1000.
Any ideas or suggestions would be greatly appreciated.
I am currently working around the issue by capturing
everything and then filtering using display filters
but the captures are getting too large.
Thanks in advance.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
