Wireshark-dev: Re: [Wireshark-dev] capture filter issue
Date: Mon, 19 Jul 2010 17:21:01 +0530
Hi Sake,

Thanks a lot for your prompt reply.
I already tried the following options

1. (host or (vlan and (host
2. (net or (vlan and (net

In both the above cases I am facing the same error, I can see only
incoming traffic. Where as with out these filters I can see both
incoming & outgoing traffic.
Is this behavior is because of unidirectional L2 tagging?


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Sake Blok
Sent: Monday, July 19, 2010 5:02 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] capture filter issue

On 19 jul 2010, at 13:19, <[email protected]>
<[email protected]> wrote:

> When I am doing live capture with Wireshark using the "Capture filter"
option (host, my expectation is that I can able to see
both the to and from (source & dest) traffic with that ip address. But I
can see only incoming traffic (i.e. destination ip address only), it is
not showing any outgoing traffic from that ip address.
> If I remove that filter and start capturing, then I can see both
incoming and outgoing traffic with that ip address.
> I am doubting some setup problem in my Wireshark, but not sure where
to change.
> Can you please help me on this issue.

It could be that incoming traffic is not 802.1Q tagged, while outgoing
traffic is  802.1Q tagged, that all depends on where you are doing the
capture and what the L2 design is of that infrastructure.

The capture filter "host" will only match untagged
traffic. If you would also like to see the 802.1Q tagged traffic for, you need to specify a capture filter like this:

"host or (vlan and host"

Please note that the order in that filter is important. See also:

Hope this helps,


PS  This can also happen on PPPoE networks or any other situation where
L2 tagging/encapsulation is done in one direction, but the most common
case is 802.1Q vlan-tagging

Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

mailto:[email protected]?subject=unsubscribe

Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.