Ethereal-users: Re: [Ethereal-users] Capture without filter works fine, capture with filter does

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Edward VanDewars <gt4200b@xxxxxxxxx>
Date: Thu, 3 Mar 2005 10:20:33 -0800 (PST)
That was it; thank you VERY much.

I didn't read the vlan man line closely enough, I
assumed you only specified it if you wanted to filter
by vlan (since multiple vlans were included on the
mirror port).  Rather, you have to include it (even
without the vlan id) if the traffic is tagged.

Thanks again!

--- LEGO <luis.ontanon@xxxxxxxxx> wrote:

> any vlan tags?
> 
> if so you have to add to the filter the vlan in
> which to find the IP.
> 
> example:
> "vlan 123 and host 1.2.3.4"
> 
> 
> 
> 
> On Thu, 3 Mar 2005 09:56:24 -0800 (PST), Edward
> VanDewars
> <gt4200b@xxxxxxxxx> wrote:
> > I'm running ethereal 0.10.9 on an interface
> attached
> > to a mirror port on a switch.  I can capture data
> just
> > fine if I do a capture by interface for the
> interface
> > on the mirrored port.  However, if I want to do
> any
> > type of capture filter then nothing will capture.
> > 
> > For example, I do an interface capture on the
> mirrored
> > interface, eth1, and see that there is a LOT of
> > traffic to IP address 1.2.3.4 so I attempt to do a
> > capture (on the mirrored interface, eth1) with a
> > capture filter of "host 1.2.3.4" and get nothing.
> > I've tried starting ethereal with "-i eth1" with
> the
> > same results.
> > 
> > I suspect this is actually not an ethereal issue,
> as
> > tcpdump exhibits the same behavior.  "tcpdump -i
> eth1"
> > returns all expected traffic (including LOTS of
> > traffic to 1.2.3.4) but "tcpdump -i eth1 host
> 1.2.3.4"
> > returns nothing no matter how long I wait
> (although
> > upon ctrl-c it does report packets received by
> > filter).
> > 
> > In both cases I can capture traffic to and from
> the
> > local host on the other nic (eth0) using filters.
> > 
> > I'm running ethereal 0.10.9, tcpdump 3.8.3, and
> > libpcap  0.8 on linux (Debian/testing) (all are
> Debian
> > packages, nothing custom built) with kernel
> 2.6.10.
> > The nic on the mirror port is an Intel pro/1000.
> > 
> > Any ideas or suggestions would be greatly
> appreciated.
> >  I am currently working around the issue by
> capturing
> > everything and then filtering using display
> filters
> > but the captures are getting too large.
> > 
> > Thanks in advance.
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > 
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> >
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
> > 
> 
> 
> -- 
> This information is top security. When you have read
> it, destroy yourself.
> -- Marshall McLuhan
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com