Wireshark-users: Re: [Wireshark-users] src host capture filter not working

From: "Jeff Liegel" <jliegel@xxxxxxxxxxxxxxx>
Date: Wed, 13 Jan 2010 09:05:45 -0600
That worked, thanks so much.  

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, January 12, 2010 10:32 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] src host capture filter not working
Importance: High


On Jan 12, 2010, at 2:35 PM, Jeff Liegel wrote:

> Hi.  I desperately need to see packets coming from OR going to ip
207.35.208.194 using capture filter
> 
> Works fine with display filter only but this is a really busy network
and I need to ultimately save the capture to a file thus need a capture
filter. 

The Wireshark display filter code, for the filter "ip.dst ==
207.35.208.194 or ip.src == 207.35.208.194", looks for IP addresses
wherever they appear in the packet.

The libpcap/WinPcap capture filter code, for the filter "host
207.35.208.194", generates BPF code that looks for IP addresses under
the assumption that there are no VLAN headers.  The packets not being
seen have VLAN headers.

The filter

	host 207.35.208.194 or (vlan and host 207.35.208.194)

(you will need to quote that if you put it on the command line) sees all
the packets in the file; it will check for IP addresses with no VLAN
headers or with one level of VLAN header.
________________________________________________________________________
___
Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.