Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: Re: [Ethereal-users] Capture without filter works fine, capture with filter does

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: LEGO <luis.ontanon@xxxxxxxxx>
Date: Thu, 3 Mar 2005 18:59:09 +0100
any vlan tags?

if so you have to add to the filter the vlan in which to find the IP.

example:
"vlan 123 and host 1.2.3.4"




On Thu, 3 Mar 2005 09:56:24 -0800 (PST), Edward VanDewars
<gt4200b@xxxxxxxxx> wrote:
> I'm running ethereal 0.10.9 on an interface attached
> to a mirror port on a switch.  I can capture data just
> fine if I do a capture by interface for the interface
> on the mirrored port.  However, if I want to do any
> type of capture filter then nothing will capture.
> 
> For example, I do an interface capture on the mirrored
> interface, eth1, and see that there is a LOT of
> traffic to IP address 1.2.3.4 so I attempt to do a
> capture (on the mirrored interface, eth1) with a
> capture filter of "host 1.2.3.4" and get nothing.
> I've tried starting ethereal with "-i eth1" with the
> same results.
> 
> I suspect this is actually not an ethereal issue, as
> tcpdump exhibits the same behavior.  "tcpdump -i eth1"
> returns all expected traffic (including LOTS of
> traffic to 1.2.3.4) but "tcpdump -i eth1 host 1.2.3.4"
> returns nothing no matter how long I wait (although
> upon ctrl-c it does report packets received by
> filter).
> 
> In both cases I can capture traffic to and from the
> local host on the other nic (eth0) using filters.
> 
> I'm running ethereal 0.10.9, tcpdump 3.8.3, and
> libpcap  0.8 on linux (Debian/testing) (all are Debian
> packages, nothing custom built) with kernel 2.6.10.
> The nic on the mirror port is an Intel pro/1000.
> 
> Any ideas or suggestions would be greatly appreciated.
>  I am currently working around the issue by capturing
> everything and then filtering using display filters
> but the captures are getting too large.
> 
> Thanks in advance.
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 


-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube