Wireshark-bugs: [Wireshark-bugs] [Bug 9701] New: -f "filter" ignored when capturing from two int
Bug ID |
9701
|
Summary |
-f "filter" ignored when capturing from two interfaces
|
Classification |
Unclassified
|
Product |
Wireshark
|
Version |
1.10.5
|
Hardware |
x86
|
OS |
Windows 8.1
|
Status |
UNCONFIRMED
|
Severity |
Normal
|
Priority |
Low
|
Component |
TShark
|
Assignee |
bugzilla-admin@wireshark.org
|
Reporter |
stuart.kendrick.sea@gmail.com
|
Build Information:
C:\Temp>tshark -v
TShark 1.10.5 (SVNRev 54262 from /trunk-1.10)
Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5,
without POSIX capabilities, without libnl, with SMI 0.4.8, with c-ares 1.9.1,
with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, without
Kerberos, with GeoIP.
Running on 64-bit Windows 8, build 9200, without WinPcap.
Intel(R) Core(TM) i5-3550 CPU @ 3.30GHz, with 16280MB of physical
memory.
Built using Microsoft Visual C++ 10.0 build 40219
C:\Temp>
--
When I capture on two interfaces simultaneously, the Wireshark GUI honors the
Capture Filter _expression_. But tshark & dumpcap do not -- they ignore it.
I have an Intel Pro/1000 PF adapter in my PC, connected to the capture ports on
an in-line tap, and two packet streams traversing the tapped cable: a ping to
10.1.2.3 and a TCP stream to 10.1.2.10
Case A:
c:\temp> dumpcap -i eth0 -w foo.pcapng -f "ip host 10.1.2.3"
In this case, I see one side (remember: in-line tap) of the ping stream to
10.1.2.3 and nothing else (unsurprising, as the filter precludes traffic
to/from other addresses)
Case B:
c:\temp> dumpcap -i eth0 -i eth1 -w foo.pcapng -f "ip host 10.1.2.3"
In this case, I see both sides of the ping stream to 10.1.2.3 (unsurprising)
plus both sides of the TCP stream to 10.1.2.10 (surprising: I would have
predicted that the filter would discard traffic to/from 10.1.2.10)
If I use the Wireshark GUI, filtering behaves as I would predict (i.e. I only
see traffic to/from 10.1.2.3).
You are receiving this mail because:
- You are watching all bug changes.