On Wed, Apr 16, 2003 at 12:31:46PM -0400, Paul Santangelo wrote:
> I need to capture packets that are sent to TCP PORT 10008.
Sent by the machine running Ethereal, to the machine running Ethereal,
or between two other machines on the same network?
> I set up a capture filter just as you see it, I send the transmission
> but the get nothing in the capture. Is there some setting that I could
> have wrong.
> The interface I am using is the nic card in the machine, and not the
> ndis default. When I remove the filter I do see the network traffic.
By "the network traffic" do you mean "traffic to TCP port 10008", or do
you mean *other* network traffic?
If, without the filter "tcp port 10008", you see traffic to TCP port
10008, are you capturing on a token-ring or 802.11 wireless LAN? If so,
note that there is currently a bug in libpcap wherein filters don't work
correctly on source-routed token-ring packets or on 802.11 packets that
have headers with four MAC addresses. (It's not a trivial bug to fix,
or at least I've found that the way the BPF code generator in libpcap
works doesn't make it obvious how to do it.)
If, without the filter "tcp port 10008", you see traffic, but still
don't see traffic to TCP port 10008, then:
if the port 10008 traffic is being sent between two other
machines on the network, *and* the only traffic you see without
the filter is traffic to the machine running Ethereal, traffic
from the machine running Ethereal, and broadcast/multicast
traffic, then:
http://www.ethereal.com/faq.html#q5.1
if the port 10008 traffic is being sent by the machine running
Ethereal, and you have some kind of VPN or perhaps some other
type of packet filtering/shaping/etc. software installed on your
machine (which I infer is running Windows from your references
to "the ndis default"), then:
http://www.ethereal.com/faq.html#q5.18