Re: [WinPcap-users] Capture Filter on port - strange behavior
I should have thought of that :-) However, when I do what you suggest, the offline filter shows BOTH sides of the conversation. The problem seems to occur only when filtering during an actual live capture. I have followed the website procedures for submitting a bug and sent the info to the winpcap-bugs address. Gianluca Varenni wrote: Hi James. Can you please try to dump the packets to disk with windump (no filter), then try to offline filter those packets offline with windump? If it fails, please send me then unfiltered trace file, and I'llk try to reproduce the problem. Steps: 1. Capture to file windump -isome adapter -w somefile.cap 2. Offline filter the file windump -r somefile.cap port 25 Have a nice day GV -- James GarrisonAthens Group, Inc. mailto:[EMAIL PROTECTED]5608 Parkcrest Dr http://www.athensgroup.comAustin, TX 78731 PGP: RSA=0x92E90A3B DH/DSS=0x498D331C (512) 345-0600 x150 == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Capture Filter on port - strange behavior
Hello James, I'm using Ethereal 0.10.3 and WinPCap 3.0. WinXP-SP2 Filter was port 25. And I've captured both incoming and outgoing packets. So, the problem I think is in the Ethereal sources. P.S. src port 25 || dst port 25 filter works fine too. JG Originally posted on ethereal-users, referred to JG winpcap-users from there. JG Running on Windows XP SP2 with Ethereal versions JG 0.10.10 and WinPCap 3.0. JG If I provide the following capture filter: JG port 25 JG in order to capture an SMTP transaction, I see only JG packets with destination port 25 -- I.e. I see the JG the client's outgoing packets only. JG However, if I capture with NO filter specified, I see JG all packets, so I know WinPCap is capturing all the JG traffic. JG I also tried JG src port 25 || dst port 25 JG but the results were the same. This used to work JG just fine. Has something changed or am I missing JG something? JG I also tried Ethereal 0.10.9 and WinPCap 3.1beta4 with JG the same results. -- Best regards, [EMAIL PROTECTED] == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Capture Filter on port - strange behavior
Vasily Borovyak wrote: I'm using Ethereal 0.10.3 and WinPCap 3.0. WinXP-SP2 Filter was port 25. And I've captured both incoming and outgoing packets. So, the problem I think is in the Ethereal sources. Unlikely, given that Ethereal doesn't do anything particularly unusual with libpcap/WinPcap that would affect this. There might, however, be a difference in the network adapters you're using. On UN*Xes, networking adapter drivers appear to be written by people a bit more clueful about the needs of traffic capturing programs than the people writing adapter drivers for Windows, unfortunately; 802.11 driver writers are particularly unhelpful (they appear to have a tendency to supply packets *transmitted* by the host in NDIS_PACKET_TYPE_ALL_LOCAL mode but not in NDIS_PACKET_TYPE_PROMISCUOUS mode). He should try capturing with WinPcap, and see if it behaves the same as Ethereal. If it does, then it's either a WinPcap issue or (and I suspect this might be more likely) a driver issue. If it doesn't, it's probably an Ethereal issue. (With just about *any* problem capturing traffic on WinPcap with any application other than WinDump, the first step should be to try it with WinDump, to see whether the application is likely to be to blame or not.) == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
[WinPcap-users] Capture Filter on port - strange behavior
Originally posted on ethereal-users, referred to winpcap-users from there. Running on Windows XP SP2 with Ethereal versions 0.10.10 and WinPCap 3.0. If I provide the following capture filter: port 25 in order to capture an SMTP transaction, I see only packets with destination port 25 -- I.e. I see the the client's outgoing packets only. However, if I capture with NO filter specified, I see all packets, so I know WinPCap is capturing all the traffic. I also tried src port 25 || dst port 25 but the results were the same. This used to work just fine. Has something changed or am I missing something? I also tried Ethereal 0.10.9 and WinPCap 3.1beta4 with the same results. -- James GarrisonAthens Group, Inc. mailto:[EMAIL PROTECTED]5608 Parkcrest Dr http://www.athensgroup.comAustin, TX 78731 PGP: RSA=0x92E90A3B DH/DSS=0x498D331C (512) 345-0600 x150 == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
