Wireshark-users: Re: [Wireshark-users] pcap / winpcap filters
Have you tried the “net <network>/<len>”
capture filter primitive or its variants? (see “man pcap-filter” for
more details.) Or if none of those work, you could try temporarily changing
your adaptor’s netmask. BTW, I hope you don’t intend to use Wireshark for
long-term capturing. You might want to look at dumpcap for
this if you haven’t already. - Chris From:
wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of marco@xxxxxxxxxx Dear Sake, I check it also and that's not the issue
..... I think that the pcap / winpcap filter works only if the
packets source or destination ip is in the ethernet inteface subnet range. If
it isn't the pcap will discard it without checking it's content. Could be
? Regards, Marco Da: wireshark-users-bounces@xxxxxxxxxxxxx A: "Community support list for Wireshark"
wireshark-users@xxxxxxxxxxxxx Cc: Data: Thu, 29 Apr 2010 17:46:18 +0200 Oggetto: Re: [Wireshark-users] pcap / winpcap filters > My guess would be that all traffic is vlan-tagged on the
mirror port. Could you try the filter "vlan and (port 53 or port
5060)"? > > See also:
http://wiki.wireshark.org/CaptureSetup/VLAN#head-6bf591391ffef059629a9eede2b4a3d83fdb215d > > Cheers, > > > Sake > > > On 29 apr 2010, at 15:37, marco@xxxxxxxxxx wrote: > > > Hi Lars, > > if I do not add any filter I can capture all the traffic
( that do not match as source / destination or both ) the mirroring port send
me. While if I enable a filter ( like "igmp" for example )I can only
see the traffic that can be accepted by the subnet I configure on my eth
interface ..... > > > > Regards, > > Marco > > > > > > Da: wireshark-users-bounces@xxxxxxxxxxxxx > > A: "Community support list for Wireshark"
wireshark-users@xxxxxxxxxxxxx > > Cc: > > Data: Thu, 29 Apr 2010 15:03:20 +0200 > > Oggetto: Re: [Wireshark-users] pcap / winpcap filters > > > > > Hi, > > > That's not a problem. In **promsicous mode**
(checked?), you will see any traffic coming out of the mirror port, regardless
if it's on your local subnet or not. > > > Have you tried sniffing without any filter? Do you
see the traffic of the other subnet then? > > > I suspect your problem is more related to your port
mirroring setup than to Wireshark filters. > > > > > > Regards, > > > Lars Ruoff > > > > > > > > > ________________________________________ > > > From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of marco@xxxxxxxxxx > > > Sent: jeudi 29 avril 2010 14:49 > > > To: wireshark-users@xxxxxxxxxxxxx > > > Subject: Re: [Wireshark-users] pcap / winpcap
filters > > > > > > Hi, > > > yes, that's what I did in the past but if I use
this filter string I can only get the packet that lookup on my ethernet
interface .... while I need to see all the packets that are not send to / comes
from my eth interface subnet . > > > > > > I did a port mirroring on a Layer3 switch so on the
mirroring port I can see all the packets of some subnet and they will necessary
not match my eth interface subnet ..... > > > > > > > > > Thanks ! > > > Marco > > > > > > Da: wireshark-users-bounces@xxxxxxxxxxxxx > > > A: "Community support list for Wireshark"
wireshark-users@xxxxxxxxxxxxx > > > Cc: > > > Data: Thu, 29 Apr 2010 14:09:46 +0200 > > > Oggetto: Re: [Wireshark-users] pcap / winpcap
filters > > > > > > > Hi, > > > > > > > > Would that be a capture filter like: 'port 53
or port 5060' > > > > > > > > Thanks, > > > > Jaap > > > > > > > > On Thu, 29 Apr 2010 11:39:17 +0200,
"marco\@marcomp\.it" > > > > wrote: > > > > > I need to filter some traffic (before
capturing it) using the pcap / > > > > > winpcap filter but this traffic comes
from some different subnet ( > > > > > different from my eth interface subnet ). > > > > > So if I apply a filter the pcap show me
the packet that can lookup on my > > > > > eth interface only ... > > > > > How can I get the filtered traffic that
comes from "everywhere" > > > > > (0.0.0.0/0) ? > > > > > > > > > > I need to filter the data traffic before
sending it to whireshark > > > > because > > > > > I only need to check the DNS and SIP
traffic for a long time ( may be > > > > for > > > > > more than 1 week )... so I don't want to
store Gbyte and Gbyte of not > > > > > helpful data on my pc..... > > > > > > > > > > Have you any suggestion ? > > > > > > > > > > > > > > > Marco > > > > > > > > > subscribe > > > >
___________________________________________________________________________ > > > > Sent via: Wireshark-users mailing list > > > > Archives: http://www.wireshark.org/lists/wireshark-users > > > > Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users > > > >
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > >
___________________________________________________________________________ > > > Sent via: Wireshark-users mailing list > > > Archives:
http://www.wireshark.org/lists/wireshark-users > > > Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users > > >
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > ___________________________________________________________________________ > > Sent via: Wireshark-users mailing list > > Archives: http://www.wireshark.org/lists/wireshark-users > > Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > >
___________________________________________________________________________ > Sent via: Wireshark-users mailing list > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users >
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe CONFIDENTIALITY NOTICE: The contents of this email are confidential and for the exclusive use of the intended recipient. If you receive this email in error, please delete it from your system immediately and notify us either by email, telephone or fax. You should not copy, forward, or otherwise disclose the content of the email. |
- References:
- Re: [Wireshark-users] pcap / winpcap filters
- From: marco@xxxxxxxxxx
- Re: [Wireshark-users] pcap / winpcap filters
- Prev by Date: Re: [Wireshark-users] pcap / winpcap filters
- Next by Date: Re: [Wireshark-users] pcap / winpcap filters
- Previous by thread: Re: [Wireshark-users] pcap / winpcap filters
- Next by thread: Re: [Wireshark-users] pcap / winpcap filters
- Index(es):