Wireshark-dev: Re: [Wireshark-dev] capture filter issue
From: <upendra.allu@xxxxxxxxx>
Date: Mon, 19 Jul 2010 17:21:01 +0530
Hi Sake, Thanks a lot for your prompt reply. I already tried the following options 1. (host 172.16.59.240) or (vlan and (host 172.16.59.240))) 2. (net 172.16.59.0/24) or (vlan and (net 172.16.59.0/24))) In both the above cases I am facing the same error, I can see only incoming traffic. Where as with out these filters I can see both incoming & outgoing traffic. Is this behavior is because of unidirectional L2 tagging? Regards, Upendra -----Original Message----- From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok Sent: Monday, July 19, 2010 5:02 PM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] capture filter issue On 19 jul 2010, at 13:19, <upendra.allu@xxxxxxxxx> <upendra.allu@xxxxxxxxx> wrote: > When I am doing live capture with Wireshark using the "Capture filter" option (host 172.16.59.240), my expectation is that I can able to see both the to and from (source & dest) traffic with that ip address. But I can see only incoming traffic (i.e. destination ip address only), it is not showing any outgoing traffic from that ip address. > > If I remove that filter and start capturing, then I can see both incoming and outgoing traffic with that ip address. > I am doubting some setup problem in my Wireshark, but not sure where to change. > Can you please help me on this issue. It could be that incoming traffic is not 802.1Q tagged, while outgoing traffic is 802.1Q tagged, that all depends on where you are doing the capture and what the L2 design is of that infrastructure. The capture filter "host 172.16.59.240" will only match untagged traffic. If you would also like to see the 802.1Q tagged traffic for 172.16.59.240, you need to specify a capture filter like this: "host 172.16.59.240 or (vlan and host 172.16.59.240)" Please note that the order in that filter is important. See also: http://wiki.wireshark.org/CaptureSetup/VLAN#Capture_filters Hope this helps, Cheers, Sake PS This can also happen on PPPoE networks or any other situation where L2 tagging/encapsulation is done in one direction, but the most common case is 802.1Q vlan-tagging ________________________________________________________________________ ___ Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
- References:
- [Wireshark-dev] capture filter issue
- From: upendra.allu
- Re: [Wireshark-dev] capture filter issue
- From: Sake Blok
- [Wireshark-dev] capture filter issue
- Prev by Date: Re: [Wireshark-dev] capture filter issue
- Next by Date: [Wireshark-dev] Correct way of adding a HTTP subdissector on port 80 with no content type?
- Previous by thread: Re: [Wireshark-dev] capture filter issue
- Next by thread: [Wireshark-dev] Correct way of adding a HTTP subdissector on port 80 with no content type?
- Index(es):
- Get Wireshark
- Download
- Code of Conduct