Re: [Wireshark-users] Capture filter with multiple VLANs
Ah. And that is why we ask the questions. I didn't think of moving farther down the stack for the capture filters. Thanks to everyone who sent the idea. Todd On 8/1/2019 8:52 AM, Maynard, Chris via Wireshark-users wrote: How about a capture filter such as this? "vlan and not (ether[14:2]&0x0fff = 20 or ether[14:2]&0x0fff = 30)" - Chris See also: https://ask.wireshark.org/question/3877/vlan-filter/ -Original Message- From: Wireshark-users [mailto:wireshark-users-boun...@wireshark.org] On Behalf Of Todd Adamson Sent: Wednesday, July 31, 2019 6:41 PM To: Wireshark-users@wireshark.org Subject: [Wireshark-users] Capture filter with multiple VLANs Is it possible to create a capture filter to deal with multiple vlans? What I would like to do is: not (vlan 20 or vlan 30) or not vlan 20 and not vlan 30 So far, from what I've read, only the first vlan element is used in the filter. Ideas? Thanks. Todd ___ Sent via:Wireshark-users mailing list Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-users] Capture filter with multiple VLANs
How about a capture filter such as this? "vlan and not (ether[14:2]&0x0fff = 20 or ether[14:2]&0x0fff = 30)" - Chris See also: https://ask.wireshark.org/question/3877/vlan-filter/ > -Original Message- > From: Wireshark-users [mailto:wireshark-users-boun...@wireshark.org] On > Behalf Of Todd Adamson > Sent: Wednesday, July 31, 2019 6:41 PM > To: Wireshark-users@wireshark.org > Subject: [Wireshark-users] Capture filter with multiple VLANs > > Is it possible to create a capture filter to deal with multiple vlans? What I > would like to do is: > > not (vlan 20 or vlan 30) > or > not vlan 20 and not vlan 30 > > So far, from what I've read, only the first vlan element is used in the > filter. > > Ideas? > > Thanks. > > Todd CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information. This message is intended solely for the use of the addressee. If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited. ___ Sent via:Wireshark-users mailing list Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-users] Capture filter with multiple VLANs
Hi, For this you have to go lower in the stack and access the packet bytes directly. Have a look at proto [ expr : size ], where proto is ether. Now you can access the bytes in the ethernet frame directly. So start looking for 8100 as the ethertype, then extend the expression to make comparisons for the VID field in the VLAN header. Hope it helps. Jaap > On 1 Aug 2019, at 00:40, Todd Adamson wrote: > > Is it possible to create a capture filter to deal with multiple vlans? What > I would like to do is: > > not (vlan 20 or vlan 30) > or > not vlan 20 and not vlan 30 > > So far, from what I've read, only the first vlan element is used in the > filter. > > Ideas? > > Thanks. > > Todd ___ Sent via:Wireshark-users mailing list Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-users] Capture Filter Help
On Wed, Feb 06, 2008 at 01:51:43PM -0500, James Pifer wrote: Hi. I've been googling and using the wiki but I can't figure out if this is possible. I'm trying setup a capture filter to capture only data where the ip address contains a certain part of an ip address. We have a lot of servers on a distributed network that have standard addresses. For example, I'd like to capture data on port 137 if the ip address is like 192.xxx.xxx.11 where xxx can be anything. Can this be done in a capture filter? Looks like it can be done in a display filter, but I really don't want that. How'bout looking at the specific locations within the ip-packet for src address or destination address: ip[0xc]==192 and ip[0xf]==11 Would match any packet from 192.x.x.11 and ip[0x10]=192 and ip[0x13]==11 would match and packet to 192.x.x.11. So the full filter would be: ((ip[0xc]==84 and ip[0xf]==11) or (ip[0x10]=84 and ip[0x13]==11)) and port 137 Hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter Help
James Pifer wrote: I'm trying setup a capture filter to capture only data where the ip address contains a certain part of an ip address. We have a lot of servers on a distributed network that have standard addresses. For example, I'd like to capture data on port 137 if the ip address is like 192.xxx.xxx.11 where xxx can be anything. Can this be done in a capture filter? Not conveniently, but it can be done: (((ip[12:4] 0xFFFF) = 0xC00B) || ((ip[16:4] 0xFFFF) = 0xC00B)) port 137 (which extracts the IP source address, ANDs it with 0xFFFF, compares it with 192.0.0.11, does the same with the IP destination address, matches if either are true, and then ANDs that with a match on port 137). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter Help
How'bout looking at the specific locations within the ip-packet for src address or destination address: ip[0xc]==192 and ip[0xf]==11 Would match any packet from 192.x.x.11 and ip[0x10]=192 and ip[0x13]==11 would match and packet to 192.x.x.11. So the full filter would be: ((ip[0xc]==84 and ip[0xf]==11) or (ip[0x10]=84 and ip[0x13]==11)) and port 137 Hope this helps, Cheers, Sake Sake, I'm trying this, just waiting for something to come in. I would also like to filter NBNS protocol. Right now I have a display filter like this: nbns.flags == 0x2810 || nbns.flags == 0x2910 Again, I'd rather have this in a capture filter in case I want to start saving it. What is the best capture reference? Maybe I've not come across it yet. Thanks for the help. James ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter Help
On Wed, Feb 06, 2008 at 02:46:21PM -0500, James Pifer wrote: I would also like to filter NBNS protocol. Right now I have a display filter like this: nbns.flags == 0x2810 || nbns.flags == 0x2910 Again, I'd rather have this in a capture filter in case I want to start saving it. You could use something like: udp[0xa:2] == 0x2810 || udp[0xa:2] == 0x2910 Why? Because the udp header is 8 bytes long, and then there are two bytes for the NBNS Transaction ID. The following two bytes (starting from position 0xa (=10) relative to the start of the UDP header) will be the nbns flags. What is the best capture reference? Maybe I've not come across it yet. Start at: http://www.ethereal.com/docs/eug_html_chunked/ChCapCaptureFilterSection.html and also follow the link at the bottom of that page to: http://www.tcpdump.org/tcpdump_man.html That should get you on your way. Apart from that, it's being creative with what is offered by the libpcap filter format. Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter Help
On Wed, Feb 06, 2008 at 10:14:29PM +0100, Sake Blok wrote: On Wed, Feb 06, 2008 at 02:46:21PM -0500, James Pifer wrote: I would also like to filter NBNS protocol. Right now I have a display filter like this: nbns.flags == 0x2810 || nbns.flags == 0x2910 Again, I'd rather have this in a capture filter in case I want to start saving it. You could use something like: udp[0xa:2] == 0x2810 || udp[0xa:2] == 0x2910 Oops, that should of course be: udp port 137 and (udp[0xa:2] == 0x2810 || udp[0xa:2] == 0x2910) Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for MAC addresses
On Jan 25, 2008, at 4:24 PM, Frank Bulk wrote: I've looked at the wiki page (http://wiki.wireshark.org/Ethernet) but it's not entirely clear to me how I would capture the traffic from all those devices that share the same OUI. For example, if the OUI of interest was Cisco (00:1b:0d), I have tried this: ether[0:4]=0x001B0D but it didn't seem to work. I suspect I don't full understand the usage of the square brackets, and perhaps I need to use a mask of some kind. Capture filters can only test 1-byte, 2-byte, or 4-byte fields: $ man tcpdump ... expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier: ... expr relop expr True if the relation holds, where relop is one of , , =, =, =, !=, and expr is an arithmetic expression com- posed of integer constants (expressed in standard C syn- tax), the normal binary operators [+, -, *, /, , |, , ], a length operator, and special packet data acces- sors. Note that all comparisons are unsigned, so that, for example, 0x8000 and 0x are 0. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indi- cates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the radio header added to some 802.11 captures.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indi- cated by the keyword len, gives the length of the packet. so, yes, you'd have to either 1) do ether[0] == 0x00 and ether[1] == 0x1B and ether[2] == 0x0D or 2) use a mask - (ether[0:4] 0xFF00) == 0x001B0D00 (the latter generates less BPF code, and would run a little faster). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for MAC addresses
Thanks, that helps a lot. Now, to take it one step farther, I need to apply that capture filter to the client field (labeled in the display filter 'bootp.hw.mac_addr'). Is that possible in a capture filter? And if you're going to ask if the offset from the start of the packet is consistent, it's not. Basically what I'm trying to do here is capture the DHCP packets for a certain brand of devices in the field, but they're behind a DHCP relay so I can't use the frame's hardware MAC address because it's always the DHCP relay device. Frank -Original Message- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 8:22 PM To: [EMAIL PROTECTED]; Community support list for Wireshark Subject: Re: [Wireshark-users] Capture filter for MAC addresses On Jan 25, 2008, at 4:24 PM, Frank Bulk wrote: I've looked at the wiki page (http://wiki.wireshark.org/Ethernet) but it's not entirely clear to me how I would capture the traffic from all those devices that share the same OUI. For example, if the OUI of interest was Cisco (00:1b:0d), I have tried this: ether[0:4]=0x001B0D but it didn't seem to work. I suspect I don't full understand the usage of the square brackets, and perhaps I need to use a mask of some kind. Capture filters can only test 1-byte, 2-byte, or 4-byte fields: $ man tcpdump ... expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier: ... expr relop expr True if the relation holds, where relop is one of , , =, =, =, !=, and expr is an arithmetic expression com- posed of integer constants (expressed in standard C syn- tax), the normal binary operators [+, -, *, /, , |, , ], a length operator, and special packet data acces- sors. Note that all comparisons are unsigned, so that, for example, 0x8000 and 0x are 0. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indi- cates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the radio header added to some 802.11 captures.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indi- cated by the keyword len, gives the length of the packet. so, yes, you'd have to either 1) do ether[0] == 0x00 and ether[1] == 0x1B and ether[2] == 0x0D or 2) use a mask - (ether[0:4] 0xFF00) == 0x001B0D00 (the latter generates less BPF code, and would run a little faster). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for MAC addresses
Frank Bulk wrote: Now, to take it one step farther, I need to apply that capture filter to the client field (labeled in the display filter 'bootp.hw.mac_addr'). Is that possible in a capture filter? And if you're going to ask if the offset from the start of the packet is consistent, it's not. Offsets can be computed based on the values in other fields: expr relop expr True if the relation holds, where relop is one of , , =, =, =, !=, and expr is an arithmetic expression com- posed of integer constants (expressed in standard C syn- tax), the normal binary operators [+, -, *, /, , |, , ], a length operator, and special packet data acces- sors. Note that all comparisons are unsigned, so that, for example, 0x8000 and 0x are 0. To access data inside the packet, use the following syntax: proto [ expr : size ] I.e., it says expr in proto[expr:size], which means the offset in proto[expr:size] can be an arbitrary expression. Figuring out the the right expression is left as an exercise for the reader. (If it involves a loop, however, forget it - the offset *eventually* has to be based on values at a fixed offset from, for example, the beginning of the UDP payload. Fortunately, the UDP header is fixed-length) ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for ARP, DNS and PING
Try icmp or dns or arp Regards TRoopy -- Original Message -- From: nilay yildirim [EMAIL PROTECTED] Reply-To: Community support list for Wireshark wireshark-users@wireshark.org Date: Sun, 6 Jan 2008 16:21:59 -0500 Hi, How can I set up a capture filter just to capture ARP, DNS and PING? I did it with Display filters but the same method didn't work for the Capture filter. I'm new to Wireshark and still struggling with some easy stuff. Nilay __ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for ARP, DNS and PING
nilay yildirim wrote: How can I set up a capture filter just to capture ARP, DNS and PING? DNS generally means traffic to or from the Domain Name System port, and PING generally means ICMP Echo and Echo Reply packets, so: arp or port domain or icmp[icmptype] = icmp-echo or icmp[icmptype] = icmp-echoreply ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for ARP, DNS and PING
Thanks. So how about if I wanted to only capture all packets to and from 10.10.10.10 ( host ip adress) but just arp, dns and ping? What does this changes? Or I need to create another filter??? arp or port domain or icmp[icmptype] = icmp-echo or icmp[icmptype] = icmp-echoreply On Jan 6, 2008 5:28 PM, Guy Harris [EMAIL PROTECTED] wrote: nilay yildirim wrote: How can I set up a capture filter just to capture ARP, DNS and PING? DNS generally means traffic to or from the Domain Name System port, and PING generally means ICMP Echo and Echo Reply packets, so: arp or port domain or icmp[icmptype] = icmp-echo or icmp[icmptype] = icmp-echoreply ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for ARP, DNS and PING
Perhaps this has been asked and answered, but is there a tool or utility to convert between capture and display syntax? Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of nilay yildirim Sent: Sunday, January 06, 2008 3:22 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] Capture filter for ARP, DNS and PING Hi, How can I set up a capture filter just to capture ARP, DNS and PING? I did it with Display filters but the same method didn't work for the Capture filter. I'm new to Wireshark and still struggling with some easy stuff. Nilay ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for ARP, DNS and PING
nilay yildirim wrote: Thanks. So how about if I wanted to only capture all packets to and from 10.10.10.10 http://10.10.10.10 ( host ip adress) but just arp, dns and ping? What does this changes? Or I need to create another filter??? ARP packets don't go to or from IP addresses - they go to or from MAC addresses, so you can't capture ARP traffic to or from 10.10.10.10, as that notion makes no sense. However, you could do host 10.10.10.10 and (port domain or icmp[icmptype] = icmp-echo or icmp[icmptype] = icmp-echoreply) which will capture DNS and ICMP ping traffic to or from 10.10.10.10. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capture filter of PPP LCP
[EMAIL PROTECTED] wrote: ppp[0:2]=0xc021 is a capture filter, not dispaly filter. I have solved this problem, because in my case, ppp is encapsulated in PPPoE, not directly in Ether, Presumably you mean PPP is encapsulated over Ethernet using PPPoE, rather than being the link layer. so ppp[0:2]=0xc021 can not capture PPP LCP packets. At least with the current top-of-tree CVS version of libpcap, the expression pppoes and ppp proto 0xc021 should do what you want (assuming there is any LCP traffic in the PPPoE session). ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capture filter of PPP LCP
Hi! ppp[0:2]=0xc021 is a capture filter, not dispaly filter. I have solved this problem, because in my case, ppp is encapsulated in PPPoE, not directly in Ether, so ppp[0:2]=0xc021 can not capture PPP LCP packets. Thanks a lot! ZTE Information Security Notice: The information contained in this mail is solely property of the sender's organization. This mail communication is confidential. Recipients named above are obligated to maintain secrecy and are not permitted to disclose the contents of this communication to others. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender. This message has been scanned for viruses and Spam by ZTE Anti-Spam system. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter
On Mon, Dec 03, 2007 at 10:05:39AM +0300, Asif wrote: Stephen Fisher wrote: On Mon, Dec 03, 2007 at 09:33:19AM +0300, Asif wrote: I want help on how to create Capture Filter for a specific host. See: http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html Thanks Stephen... I tested with the following command but no luck tcp port 8080 and host 192.168.2.11 requirement was to capture traffic through and fro for IP 192.168.2.11 on TCP port 8080 That's the correct filter, but your traffic might me VLAN-tagged. In which case you might want to have a look at: http://wiki.wireshark.org/CaptureSetup/VLAN#head-6bf591391ffef059629a9eede2b4a3d83fdb215d On how to build capture filters on vlan tagged interfaces. Hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture Filter
Attached is the email chain of my issue with VLAN - I didn't think my issue was a VLAN issue, but it was. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sake Blok Sent: 2007-12-03 08:40 To: [EMAIL PROTECTED]; Community support list for Wireshark Subject: Re: [Wireshark-users] Capture Filter On Mon, Dec 03, 2007 at 10:05:39AM +0300, Asif wrote: Stephen Fisher wrote: On Mon, Dec 03, 2007 at 09:33:19AM +0300, Asif wrote: I want help on how to create Capture Filter for a specific host. See: http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSe ction.html Thanks Stephen... I tested with the following command but no luck tcp port 8080 and host 192.168.2.11 requirement was to capture traffic through and fro for IP 192.168.2.11 on TCP port 8080 That's the correct filter, but your traffic might me VLAN-tagged. In which case you might want to have a look at: http://wiki.wireshark.org/CaptureSetup/VLAN#head-6bf591391ffef059629a9ee de2b4a3d83fdb215d On how to build capture filters on vlan tagged interfaces. Hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ---BeginMessage--- On Mon, Nov 19, 2007 at 02:11:41PM -0800, Trevor Tolk wrote: H. Well, I see the problem, though it opens different questions... I'm using an HP 2600 series switch. I'm afraid I don't have any experience with HP switches I have 3 vlans, but no ports are tagged (they are all untagged). The monitoring/mirroring port is supposed to be on the same vlan as the port you are monitoring. It wasn't. When I used the filter vlan and host 65.98.143.227 it worked. Great! :-) So then I got rid of it and capture filter and verified that indeed the packets were all being sent, but were tagged. Does that mean that all ports are sending out packets for all vlans but they're tagged, or it's sending tagged packets on the monitoring port even if it's not in the same vlan on the port being monitored? I guess that depends on the siwtch brand/model/sw-version. All switches that I know of tag frames once they ingress the switch (they need to know which vlan a frame came in on). Then they switch them to the correct egress port(s) and strip the tag if it's an untagged port. It could be that port-mirroring comes in before the untagging on a HP switch. I have also seen switches that leave the tag only on one direction which makes filtering even harder. You end up using something like host x.x.x.x or (vlan and host x.x.x.x) (see also: http://wiki.wireshark.org/CaptureSetup/VLAN ) Anyway, you answered my question! Thanks some much Sake! You're welcome :-) Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ---End Message--- ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter not working?
H. Well, I see the problem, though it opens different questions... I'm using an HP 2600 series switch. I have 3 vlans, but no ports are tagged (they are all untagged). The monitoring/mirroring port is supposed to be on the same vlan as the port you are monitoring. It wasn't. When I used the filter vlan and host 65.98.143.227 it worked. So then I got rid of it and capture filter and verified that indeed the packets were all being sent, but were tagged. Does that mean that all ports are sending out packets for all vlans but they're tagged, or it's sending tagged packets on the monitoring port even if it's not in the same vlan on the port being monitored? Anyway, you answered my question! Thanks some much Sake! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sake Blok Sent: 2007-11-15 19:14 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Capture filter not working? On Thu, Nov 15, 2007 at 05:49:57PM -0800, Trevor Tolk wrote: capture filter: host 65.98.143.227 Could it be that the frames coming from the mirrored port are vlan-tagged (if so, they have a [802.1q] header in the packet detail pane). If they are, you must use the capture filter vlan and host 65.98.143.227 Hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter not working?
On Mon, Nov 19, 2007 at 02:11:41PM -0800, Trevor Tolk wrote: H. Well, I see the problem, though it opens different questions... I'm using an HP 2600 series switch. I'm afraid I don't have any experience with HP switches I have 3 vlans, but no ports are tagged (they are all untagged). The monitoring/mirroring port is supposed to be on the same vlan as the port you are monitoring. It wasn't. When I used the filter vlan and host 65.98.143.227 it worked. Great! :-) So then I got rid of it and capture filter and verified that indeed the packets were all being sent, but were tagged. Does that mean that all ports are sending out packets for all vlans but they're tagged, or it's sending tagged packets on the monitoring port even if it's not in the same vlan on the port being monitored? I guess that depends on the siwtch brand/model/sw-version. All switches that I know of tag frames once they ingress the switch (they need to know which vlan a frame came in on). Then they switch them to the correct egress port(s) and strip the tag if it's an untagged port. It could be that port-mirroring comes in before the untagging on a HP switch. I have also seen switches that leave the tag only on one direction which makes filtering even harder. You end up using something like host x.x.x.x or (vlan and host x.x.x.x) (see also: http://wiki.wireshark.org/CaptureSetup/VLAN ) Anyway, you answered my question! Thanks some much Sake! You're welcome :-) Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter not working?
On Thu, Nov 15, 2007 at 05:49:57PM -0800, Trevor Tolk wrote: capture filter: host 65.98.143.227 Could it be that the frames coming from the mirrored port are vlan-tagged (if so, they have a [802.1q] header in the packet detail pane). If they are, you must use the capture filter vlan and host 65.98.143.227 Hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter not working?
On Thu, Nov 15, 2007 at 03:26:06PM -0800, Trevor Tolk wrote: When I use an IP (host) or tcp/udp capture filter on the monitoring nic, it captures no traffic. When I use the same filter on the nic connected to the normal network, the filter works fine. I can use an ether capture filter an it works. What is (are) the capture filter(s) you are trying to use? It should be working fine without changing any options. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter not working?
capture filter: host 65.98.143.227 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen Fisher Sent: 2007-11-15 16:42 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Capture filter not working? On Thu, Nov 15, 2007 at 03:26:06PM -0800, Trevor Tolk wrote: When I use an IP (host) or tcp/udp capture filter on the monitoring nic, it captures no traffic. When I use the same filter on the nic connected to the normal network, the filter works fine. I can use an ether capture filter an it works. What is (are) the capture filter(s) you are trying to use? It should be working fine without changing any options. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter problem
Have you tried ether host a.a.a.a capture filter? This can dig down to layer two... Zhen On Wed, 17 Oct 2007, Bogorev Andrey wrote: Hello All, I am experiencing in a problem with capture filter. I log in to sniffer PC(Windows 2000) remotely and define capture filter as host a.a.a.a and after that start ping from a.a.a.a to b.b.b.b but I see just reply from b.b.b.b to a.a.a.a not requests. As far as I know I host command allow me to sniff src and dst traffic. Do you have any ideas why it happens? Thanks in advance. Br, Andrey ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter problem
On Wed, Oct 17, 2007 at 01:17:53PM +0300, Bogorev Andrey wrote: I am experiencing in a problem with capture filter. I log in to sniffer PC(Windows 2000) remotely and define capture filter as host a.a.a.a and after that start ping from a.a.a.a to b.b.b.b but I see just reply from b.b.b.b to a.a.a.a not requests. As far as I know I host command allow me to sniff src and dst traffic. Do you have any ideas why it happens? Does the sniffer PC have two NIC's? Could it be that traffic is going out of NIC-1 and is coming back through NIC-2? Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capture filter
Tom Greaser wrote: Thanks Guy.. JUST want i was asking for i will remember to man tcpdump next time .. Well, the man page is a start, but the expr relop expr section is a bit of Full Frontal Capture Filter[*] - you have to know that the capability is there, and you then have to go from that to the particular type of filter you need, so it's a bit more than just RTFM. [*]Rob Gingell at Sun once contrasted the dbxtool GUI app in SunOS with using what he called full frontal dbx as the debugger. I've used variants of the phrase since then as a term for using various things without the help the friendly front ends ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Capture filter for tcp retransmissions
Paul Jacobs wrote: I found the display filter for tcp retransmissions but is there a capture filter for this? No - libpcap's capture filter mechanism doesn't support any form of state kept between packets; each packet is treated independently from previous packets, so it'd be impossible for the filter mechanism to know whether a packet is a retransmission. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capture filter tcp port 20 and port 21
i want to capture ftp download from a server to a client. what is the capture filter to be used at both server and client so i can get only traffic from/to port 20 and port 21? i tried this -- tcp port 20 and tcp port 21 but no traffic is captured. The correct syntax for what you thought of would be: tcp port 20 or tcp port 21 However, As the data port will often be negotiated (aka varies from transfer to transfer), you'll often won't be able to use a capture filter for this as you won't capture the data portion, see: http://wiki.wireshark.org/FTP Regards, ULFL _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capture filter tcp port 20 and port 21
thank you jaap and ulf.i had tried this -- tcp port 20 or tcp port 21 and it works beautifully!ulf, if i use active mode, would my data port be negotiated for every transfer?thanks.Ulf Lamping [EMAIL PROTECTED] wrote: i want to capture ftp download from a server to a client. what is the capture filter to be used at both server and client so i can get only traffic from/to port 20 and port 21? i tried this -- tcp port 20 and tcp port 21 but no traffic is captured. The correct syntax for what you thought of would be: tcp port 20 or tcp port 21However, As the data port will often be negotiated (aka varies from transfer to transfer), you'll often won't be able to use a capture filter for this as you won't capture the data portion, see: http://wiki.wireshark.org/FTPRegards, ULFL_Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!http://smartsurfer.web.de/?mc=100071distributionid=0066___Wireshark-users mailing listWireshark-users@wireshark.orghttp://www.wireshark.org/mailman/listinfo/wireshark-users Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
