Ethereal-users: Re: [Ethereal-users] Capture without filter works fine, capture with filter does
any vlan tags?
if so you have to add to the filter the vlan in which to find the IP.
example:
"vlan 123 and host 1.2.3.4"
On Thu, 3 Mar 2005 09:56:24 -0800 (PST), Edward VanDewars
<gt4200b@xxxxxxxxx> wrote:
> I'm running ethereal 0.10.9 on an interface attached
> to a mirror port on a switch. I can capture data just
> fine if I do a capture by interface for the interface
> on the mirrored port. However, if I want to do any
> type of capture filter then nothing will capture.
>
> For example, I do an interface capture on the mirrored
> interface, eth1, and see that there is a LOT of
> traffic to IP address 1.2.3.4 so I attempt to do a
> capture (on the mirrored interface, eth1) with a
> capture filter of "host 1.2.3.4" and get nothing.
> I've tried starting ethereal with "-i eth1" with the
> same results.
>
> I suspect this is actually not an ethereal issue, as
> tcpdump exhibits the same behavior. "tcpdump -i eth1"
> returns all expected traffic (including LOTS of
> traffic to 1.2.3.4) but "tcpdump -i eth1 host 1.2.3.4"
> returns nothing no matter how long I wait (although
> upon ctrl-c it does report packets received by
> filter).
>
> In both cases I can capture traffic to and from the
> local host on the other nic (eth0) using filters.
>
> I'm running ethereal 0.10.9, tcpdump 3.8.3, and
> libpcap 0.8 on linux (Debian/testing) (all are Debian
> packages, nothing custom built) with kernel 2.6.10.
> The nic on the mirror port is an Intel pro/1000.
>
> Any ideas or suggestions would be greatly appreciated.
> I am currently working around the issue by capturing
> everything and then filtering using display filters
> but the captures are getting too large.
>
> Thanks in advance.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan