Wireshark · Wireshark-users: Re: [Wireshark-users] conditional display filters on Wireshark?

Wireshark-users: Re: [Wireshark-users] conditional display filters on Wireshark?

Date: Tue, 19 Jul 2011 16:13:17 -0300

Chris Maynard wrote:

Yes, this is possible.  Have a look here:

http://wiki.wireshark.org/DisplayFilters
http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html

Thanks, Chris. Your URL was helpful in helping me determine unknownunicast traffic in an L2TPv2 tunnel.


What I did...

display filter: !(eth.ig == 1) && !(eth.dst == Cisco_11:22:33) (to showunicast traffic that was coming from places other than the Cisco gatewayethernet MAC addr)


Then I'm drilling down from there to look more closely in that traffic

display filter: !(eth.ig == 1) && !(eth.dst == Cisco_11:22:33) && l2tp&& arp (&& other stuff to narrow down this big list)

Once I find an interesting packet, then I see if it ever originated onmy segment


e.g.

display filter: eth.src == Apple_99:88:77

If it doesn't, then I know that the unicast is a problem and that Icould very well need some sort of a switch with UUFB (unknown unicastflood blocking).

References:
- [Wireshark-users] conditional display filters on Wireshark?
  - From: Rogelio
- Re: [Wireshark-users] conditional display filters on Wireshark?
  - From: Chris Maynard

Prev by Date: Re: [Wireshark-users] conditional display filters on Wireshark?
Next by Date: [Wireshark-users] How do I slightly tweak the text output options of tshark?
Previous by thread: Re: [Wireshark-users] conditional display filters on Wireshark?
Next by thread: [Wireshark-users] How do I slightly tweak the text output options of tshark?
Index(es):
- Date
- Thread