This is works as designed (but one can wonder about the design). As soon as
the word vlan has been seen, the offset pointer is increased by 4 (the size
of the 802.1q header). It is not decreased afterwards. This means the order
of the arguments is of importance. You can use:
tshark -i eth1 "port 10000 or (vlan and port 10000)"
Cheers,
Sake
----- Original Message -----
From: "Jeff Liegel" <jliegel@xxxxxxxxxxxxxxx>
To: "Jeff Liegel" <jliegel@xxxxxxxxxxxxxxx>; "Community support list for
Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Wednesday, January 13, 2010 7:12 PM
Subject: Re: [Wireshark-users] src host capture filter not working
Same problem, same server slightly different scenario
This works:
tshark -i eth1 vlan and port 10000
0.817934 174.117.144.244 -> 208.77.1.33 SIP Request: REGISTER
ip:proxyc11b.mydomain.com
0.819973 99.253.191.212 -> 208.77.1.17 SIP Request: REGISTER
sip:proxyc11a.mydomain.com
0.819975 24.190.222.119 -> 208.77.1.143 SIP Request: REGISTER
sip:proxyc9b.mydomain.com
This works:
tshark -i eth1 port 10000
1.423064 208.77.1.143 -> 72.93.167.225 SIP Status: 200 OK (1
bindings)
1.423234 208.77.1.133 -> 71.190.181.179 SIP Status: 200 OK (1
bindings)
1.423409 208.77.1.133 -> 69.142.207.81 SIP Status: 200 OK (1
bindings)
But seems I can not combine the two (i.e. to get the register and OK in
same trace):
tshark -i eth1 "(vlan and port 10000) or port 10000"
2.004152 74.12.123.35 -> 208.77.1.17 SIP Request: REGISTER
sip:proxyc11a.mydomain.com
2.004345 58.252.27.54 -> 208.77.1.143 SIP Request: REGISTER
sip:proxyc9b.mydomain.com
2.004904 99.227.92.50 -> 208.77.1.33 SIP Request: REGISTER
sip:proxyc11b.mydomain.com
-----Original Message-----
From: Jeff Liegel
Sent: Wednesday, January 13, 2010 9:06 AM
To: 'Community support list for Wireshark'
Subject: RE: [Wireshark-users] src host capture filter not working
That worked, thanks so much.
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, January 12, 2010 10:32 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] src host capture filter not working
Importance: High
On Jan 12, 2010, at 2:35 PM, Jeff Liegel wrote:
Hi. I desperately need to see packets coming from OR going to ip
207.35.208.194 using capture filter
Works fine with display filter only but this is a really busy network
and I need to ultimately save the capture to a file thus need a capture
filter.
The Wireshark display filter code, for the filter "ip.dst ==
207.35.208.194 or ip.src == 207.35.208.194", looks for IP addresses
wherever they appear in the packet.
The libpcap/WinPcap capture filter code, for the filter "host
207.35.208.194", generates BPF code that looks for IP addresses under
the assumption that there are no VLAN headers. The packets not being
seen have VLAN headers.
The filter
host 207.35.208.194 or (vlan and host 207.35.208.194)
(you will need to quote that if you put it on the command line) sees all
the packets in the file; it will check for IP addresses with no VLAN
headers or with one level of VLAN header.
________________________________________________________________________
___
Sent via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
