Wireshark-users: Re: [Wireshark-users] Capture Filter

From: "Trevor Tolk" <TTolk@xxxxxxxxxxxx>
Date: Mon, 3 Dec 2007 10:57:09 -0800
Attached is the email chain of my issue with VLAN - I didn't think my
issue was a VLAN issue, but it was. 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: 2007-12-03 08:40
To: asif@xxxxxxxxx; Community support list for Wireshark
Subject: Re: [Wireshark-users] Capture Filter

On Mon, Dec 03, 2007 at 10:05:39AM +0300, Asif wrote:
> Stephen Fisher wrote:
> > On Mon, Dec 03, 2007 at 09:33:19AM +0300, Asif wrote:
> >   
> >> I want help on how to create Capture Filter for a specific host.
> >
> > See:
> > http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSe
> > ction.html
> >
> Thanks Stephen...
> 
> I tested with the following command but no luck tcp port 8080 and host

> 192.168.2.11
> 
> requirement was to capture traffic through and fro for IP 192.168.2.11

> on TCP port 8080

That's the correct filter, but your traffic might me VLAN-tagged. In
which case you might want to have a look at:

http://wiki.wireshark.org/CaptureSetup/VLAN#head-6bf591391ffef059629a9ee
de2b4a3d83fdb215d

On how to build capture filters on vlan tagged interfaces.

Hope this helps, Cheers,


Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
--- Begin Message ---
From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Mon, 19 Nov 2007 14:54:47 -0800
On Mon, Nov 19, 2007 at 02:11:41PM -0800, Trevor Tolk wrote:
> Hmmmm.  Well, I see the problem, though it opens different questions...
> 
> I'm using an HP 2600 series switch.

I'm afraid I don't have any experience with HP switches

> I have 3 vlans, but no ports are
> tagged (they are all untagged).  The monitoring/mirroring port is
> supposed to be on the same vlan as the port you are monitoring.  It
> wasn't.  When I used the filter "vlan and host 65.98.143.227" it worked.

Great! :-)

> So then I got rid of it and capture filter and verified that indeed the
> packets were all being sent, but were tagged.  Does that mean that all
> ports are sending out packets for all vlans but they're tagged, or it's
> sending tagged packets on the monitoring port even if it's not in the
> same vlan on the port being monitored?

I guess that depends on the siwtch brand/model/sw-version. All switches
that I know of tag frames once they ingress the switch (they need to
know which vlan a frame came in on). Then they switch them to the 
correct egress port(s) and strip the tag if it's an untagged port.

It could be that port-mirroring comes in before the "untagging" on a 
HP switch.

I have also seen switches that leave the tag only on one direction
which makes filtering even harder. You end up using something like
"host x.x.x.x or (vlan and host x.x.x.x)"

(see also: http://wiki.wireshark.org/CaptureSetup/VLAN )


> Anyway, you answered my question!  Thanks some much Sake!

You're welcome :-)


Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

--- End Message ---