On 19 jul 2010, at 13:19, <upendra.allu@xxxxxxxxx> <upendra.allu@xxxxxxxxx> wrote:
> When I am doing live capture with Wireshark using the “Capture filter” option (host 172.16.59.240), my expectation is that I can able to see both the to and from (source & dest) traffic with that ip address. But I can see only incoming traffic (i.e. destination ip address only), it is not showing any outgoing traffic from that ip address.
>
> If I remove that filter and start capturing, then I can see both incoming and outgoing traffic with that ip address.
> I am doubting some setup problem in my Wireshark, but not sure where to change.
> Can you please help me on this issue.
It could be that incoming traffic is not 802.1Q tagged, while outgoing traffic is 802.1Q tagged, that all depends on where you are doing the capture and what the L2 design is of that infrastructure.
The capture filter "host 172.16.59.240" will only match untagged traffic. If you would also like to see the 802.1Q tagged traffic for 172.16.59.240, you need to specify a capture filter like this:
"host 172.16.59.240 or (vlan and host 172.16.59.240)"
Please note that the order in that filter is important. See also: http://wiki.wireshark.org/CaptureSetup/VLAN#Capture_filters
Hope this helps,
Cheers,
Sake
PS This can also happen on PPPoE networks or any other situation where L2 tagging/encapsulation is done in one direction, but the most common case is 802.1Q vlan-tagging
