On Thu, Aug 28, 2008 at 03:21:55PM -0600, Bryan Carter wrote:
> This one is just getting away from me and I can't get my head around it,
> and I cannot find an example anywhere.
>
>
>
> I have WireShark running on a SPAN port that is watching several ports on
> a Cisco switch. I simply want a capture filter that will allow me to see
> ALL of the traffic between two SPECIFIC ip addresses. So I ONLY want to
> see traffic from IP1, IF it is going to, or coming from IP2. What would
> that CAPTURE filter look like?
how'bout:
"host <IP1> and host <IP2>"
this would require the presence of IP1 in either src-ip or dst-ip AND
the presence of IP2 in either src-ip or dst-ip.
It all changes when vlan-tags are present. If all frames are tagged,
then "vlan and (host <IP1> and host <IP2>)" will do the trick. But
if some frames are not tagged and some are tagged, then it will get
complicated, if not impossible...
Cheers,
Sake