Wireshark-users: Re: [Wireshark-users] can't filter bidirectional traffic

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 21 Apr 2014 15:51:45 -0700
On Apr 21, 2014, at 3:12 PM, Noam Birnbaum <noam@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

> I posted this on the wiki but haven’t gotten much help.
> 
> I'm trying to filter capture traffic. I want to see all LPD traffic to/from a particular printer. However, regardless of whether I use "host 1.2.3.4" or "tcp port 515", Wireshark captures only traffic originating from the printer; it doesn't capture traffic from the other side of the TCP connection.
> 
> However, when I capture with no capture filters, both Tx and Rx are captured!

And, as per further comments on the Wiki, when you capture with no capture filters, and then use a *display* filter of "ip.addr == 1.2.3.4" or "tcp.port == 515", you see traffic from *and* to the printer.

So:

	o do the packets going *to* the printer have the destination IP address of the printer (the one you replaced with "1.2.3.4" in your example)?
	o do the packets going *to* the printer have a TCP destination port number of 515?
	o do the packets going *to* the printer have an Ethernet type of 0x0800?

> I tested this also with tcpdump and got the same results: capture filters only show source traffic from the printer; unfiltered captures show everything.

Not surprising, given that Wireshark/dumpcap and tcpdump both use libpcap, so the capture code path is the same.