I do this all the time and it's actually very easy to do.
Do a quick capture on any traffic...stop and decode.
Create a new Capture profile by clicking on the wizard and profiles new. I
usually name these types for the subnet that I wish to sniff.
In the new profile click on data pattern and change the AND to an OR. Add a
NOT and then add pattern, I always add a NOT so that I can turn on and off
this match, since you'll want this one on click the NOT so it is just red
this will make it match.
Click on Add Pattern and click on the source address in the IP Header and
click on Set Data, it doesn't matter if this is the subnet you want or not.
Delete the fourth Octet so that you only have the "Subnet" octets still
showing. Keep the portions that match what you want and if one of the octets
isn't what you want change this to what you do want. You can use the Windows
calculater in scientific mode to convert from decimal to hex by typing in
the decimal and then clicking on Hex. If you only get one character like A
for 10 add a Zero in front of it in the Pattern. Change the description to
state this as the Source subnet you are sniffing.
When done click on OK...then click on the OR and add another NOT and follow
the same method but this time use the destination address in the IP header.
When all done click on OK. You will now only match addresses with the subnet
you want too capture.
Thomas Moore
CCNP, CCDP
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=18185&t=18168
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
