Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] src host capture filter not working

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Jeff Liegel" <jliegel@xxxxxxxxxxxxxxx>
Date: Tue, 12 Jan 2010 16:35:46 -0600

 

 

From: Jeff Liegel
Sent: Tuesday, January 12, 2010 4:28 PM
To: 'wireshark-users@xxxxxxxxxxxxx'
Subject: src host capture filter not working
Importance: High

 

Hi.  I desperately need to see packets coming from OR going to ip 207.35.208.194 using capture filter

 

 

Works fine with display filter only but this is a really busy network and I need to ultimately save the capture to a file thus need a capture filter. 

 

[]# tshark -i eth1 -R "ip.dst == 207.35.208.194 or ip.src == 207.35.208.194"

Capturing on eth1

 13.306484 207.35.208.194 -> 208.77.1.33  SIP Request: REGISTER sip:proxyc11b.italkbb.com

 13.307911  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)

 20.787232 207.35.208.194 -> 208.77.1.33  SIP Request: REGISTER sip:proxyc11b.italkbb.com

 20.788120  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)

 

 

 

Just host should show packets both ways (like example above) and does not

 

[]# tshark -i eth1  host 207.35.208.194

Capturing on eth1

  0.000000  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)

  7.475218  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)

6 packets captured

 

 

 

 

 

Src host does not work but dst host does work

 

[]# tshark -i eth1 dst host 207.35.208.194 or src host 207.35.208.194

Capturing on eth1

  0.000000  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)

  7.475218  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)

6 packets captured

 

 

 

 

 

This shows that src host does not work all by itself either

 

[]# tshark -i eth1  src host 207.35.208.194

Capturing on eth1

0 packets captured

 

 

 

 

 

Here is my version stuff

 

 

 

TShark 1.0.3

 

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.

This is free software; see the source for copying conditions. There is NO

warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 

Compiled with GLib 2.12.3, with libpcap 0.9.4, with libz 1.2.3, without POSIX

capabilities, with libpcre 6.6, with SMI 0.4.5, without ADNS, without Lua, with

GnuTLS 1.4.1, with Gcrypt 1.2.3, with MIT Kerberos.

 

Running on Linux 2.6.18-92.1.22.el5, with libpcap version 0.9.4.

 

Built using gcc 4.1.2 20071124 (Red Hat 4.1.2-42).

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube