From: winpcap-users-boun...@winpcap.org [mailto:winpcap-users-boun...@winpcap.org] On Behalf Of Black, Mike (IS) Sent: Thursday, May 01, 2014 4:09 PM To: winpcap-users@winpcap.org Subject: Re: [Winpcap-users] strange filtering issue
Are you sure you're looking at the correct output file? > Yep. It looks like the issue may center around the question that Guy was > asking about VLAN headers. I'm using Wireshark to view the capture file and > it shows that the packets to the filtered host that are ending up in the > file are just the packets where dst = 192.168.10.2 (src = 192.168.10.2 are > missing) and these have a VLAN1 header for some reason. Looks like something > upstream is adding a VLAN tag that shouldn't be there and if I understand the > reason for Guy's question, the issue is the offset from the VLAN header being > prepended to the packet. Jerry. What you're describing works for me: I did this: windump -s 0 -C100 -w test -W 40 -i 2 host !192.168.1.1 And did a ping and a web port request to it while running... Then I do this...note that the filename is test00 windump -r test00 host 192.168.1.1 reading from file test00, link-type EN10MB (Ethernet) And no packets are shown. Michael D. Black Senior Scientist Analytics, Production and Services Advanced GEOINT Systems Northrop Grumman Information Systems ________________________________ From: winpcap-users-boun...@winpcap.org<mailto:winpcap-users-boun...@winpcap.org> [winpcap-users-boun...@winpcap.org] on behalf of Jerry Riedel [rie...@codylabs.com] Sent: Thursday, May 01, 2014 3:44 PM To: winpcap-users@winpcap.org<mailto:winpcap-users@winpcap.org> Subject: EXT :[Winpcap-users] strange filtering issue Hello, I am trying to use filters in conjunction with saving the filtered packets to a file, using windump, but when I do, the filters seem to get ignored. Here is an example of what I am trying: c:\windump -i 1 -s 0 -C 100 -w test -W 40 !host 192.168.10.2 When I use this, there are still packets to/from that host in the capture file. On the other hand, if I use: windump -i 1 !host 192.168.10.2 ...on the command line, I can see the packets to/from that host filtered out. To be clear, if I remove the ! from the command line, I see traffic to/from that host, if I add the ! back in, I don't, and there is a constant stream of traffic to/from this host. The documentation I have been able to find seems to indicate that this is legal and I don't get any syntax errors. What am I missing? Thanks, Jerry
_______________________________________________ Winpcap-users mailing list Winpcap-users@winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users
