On Jan 12, 2010, at 2:35 PM, Jeff Liegel wrote:
> Hi. I desperately need to see packets coming from OR going to ip 207.35.208.194 using capture filter
>
> Works fine with display filter only but this is a really busy network and I need to ultimately save the capture to a file thus need a capture filter.
The Wireshark display filter code, for the filter "ip.dst == 207.35.208.194 or ip.src == 207.35.208.194", looks for IP addresses wherever they appear in the packet.
The libpcap/WinPcap capture filter code, for the filter "host 207.35.208.194", generates BPF code that looks for IP addresses under the assumption that there are no VLAN headers. The packets not being seen have VLAN headers.
The filter
host 207.35.208.194 or (vlan and host 207.35.208.194)
(you will need to quote that if you put it on the command line) sees all the packets in the file; it will check for IP addresses with no VLAN headers or with one level of VLAN header.
