Wireshark-users: Re: [Wireshark-users] pcap / winpcap filters
From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 29 Apr 2010 17:46:18 +0200
My guess would be that all traffic is vlan-tagged on the mirror port. Could you try the filter "vlan and (port 53 or port 5060)"? See also: http://wiki.wireshark.org/CaptureSetup/VLAN#head-6bf591391ffef059629a9eede2b4a3d83fdb215d Cheers, Sake On 29 apr 2010, at 15:37, marco@xxxxxxxxxx wrote: > Hi Lars, > if I do not add any filter I can capture all the traffic ( that do not match as source / destination or both ) the mirroring port send me. While if I enable a filter ( like "igmp" for example )I can only see the traffic that can be accepted by the subnet I configure on my eth interface ..... > > Regards, > Marco > > > Da: wireshark-users-bounces@xxxxxxxxxxxxx > A: "Community support list for Wireshark" wireshark-users@xxxxxxxxxxxxx > Cc: > Data: Thu, 29 Apr 2010 15:03:20 +0200 > Oggetto: Re: [Wireshark-users] pcap / winpcap filters > > > Hi, > > That's not a problem. In **promsicous mode** (checked?), you will see any traffic coming out of the mirror port, regardless if it's on your local subnet or not. > > Have you tried sniffing without any filter? Do you see the traffic of the other subnet then? > > I suspect your problem is more related to your port mirroring setup than to Wireshark filters. > > > > Regards, > > Lars Ruoff > > > > > > ________________________________________ > > From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of marco@xxxxxxxxxx > > Sent: jeudi 29 avril 2010 14:49 > > To: wireshark-users@xxxxxxxxxxxxx > > Subject: Re: [Wireshark-users] pcap / winpcap filters > > > > Hi, > > yes, that's what I did in the past but if I use this filter string I can only get the packet that lookup on my ethernet interface .... while I need to see all the packets that are not send to / comes from my eth interface subnet . > > > > I did a port mirroring on a Layer3 switch so on the mirroring port I can see all the packets of some subnet and they will necessary not match my eth interface subnet ..... > > > > > > Thanks ! > > Marco > > > > Da: wireshark-users-bounces@xxxxxxxxxxxxx > > A: "Community support list for Wireshark" wireshark-users@xxxxxxxxxxxxx > > Cc: > > Data: Thu, 29 Apr 2010 14:09:46 +0200 > > Oggetto: Re: [Wireshark-users] pcap / winpcap filters > > > > > Hi, > > > > > > Would that be a capture filter like: 'port 53 or port 5060' > > > > > > Thanks, > > > Jaap > > > > > > On Thu, 29 Apr 2010 11:39:17 +0200, "marco\@marcomp\.it" > > > wrote: > > > > I need to filter some traffic (before capturing it) using the pcap / > > > > winpcap filter but this traffic comes from some different subnet ( > > > > different from my eth interface subnet ). > > > > So if I apply a filter the pcap show me the packet that can lookup on my > > > > eth interface only ... > > > > How can I get the filtered traffic that comes from "everywhere" > > > > (0.0.0.0/0) ? > > > > > > > > I need to filter the data traffic before sending it to whireshark > > > because > > > > I only need to check the DNS and SIP traffic for a long time ( may be > > > for > > > > more than 1 week )... so I don't want to store Gbyte and Gbyte of not > > > > helpful data on my pc..... > > > > > > > > Have you any suggestion ? > > > > > > > > > > > > Marco > > > > > > > subscribe > > > ___________________________________________________________________________ > > > Sent via: Wireshark-users mailing list > > > Archives: http://www.wireshark.org/lists/wireshark-users > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > ___________________________________________________________________________ > > Sent via: Wireshark-users mailing list > > Archives: http://www.wireshark.org/lists/wireshark-users > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- Re: [Wireshark-users] pcap / winpcap filters
- From: marco@xxxxxxxxxx
- Re: [Wireshark-users] pcap / winpcap filters
- Prev by Date: Re: [Wireshark-users] Problem in decoding VoIP
- Next by Date: Re: [Wireshark-users] Problem in decoding VoIP
- Previous by thread: Re: [Wireshark-users] pcap / winpcap filters
- Next by thread: Re: [Wireshark-users] pcap / winpcap filters
- Index(es):