Wireshark-users: Re: [Wireshark-users] Sniffing LACP traffic with wireshark

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Fri, 30 May 2014 21:41:46 +0200
On 05/30/2014 05:52 PM, Kevin Wilson wrote:
> Hello,
> I have wireshark-1.10.7-1.
> when I sniff LACP (Link Aggregation Control Protocol) traffic, I see "LACP"
> in the protocol column, and the ethertype is 0x8809 (Slow Protocols (IEEE 802.3))

No, the ethertype is 0x8809, which the Wireshark dissection engine then uses to
feed the rest of the frame to the Slow Protocols dissector, which sets the
protocol column to "LACP".


> However, I need to sniff LACP traffic also from the command line with tshark
> (on Linux).

Perfect.


> I see:
> tshark -d 0x8809 -i em1
> I get this error:
> tshark: Parameter "0x8809" doesn't follow the template
> "<layer_type>==<selector>,<decode_as_protocol>"
> tshark: Unknown layer type -- 0x8809
> And when running "tshark -d", which displays the list of all protocols,
> I don't see the LACP protocol.

Why do you think you need to define a "Decode as..." setting? Did you have to do
that in Wireshark? I doubt it. And since Tshark uses the same Wireshark
dissection engine it is quite capable of figuring out that frames with ethertype
0x8809 should be handed to the Slow Protocols dissector.

> 
> It is strange that with the wireshark GUI client, 0x8009 is recognized as LACP,
> while "thsark -d" does not show the LACP.
> 
> Please adive, how can I sniff with tshark client with filtering for 0x8009
> Ehtertype (LACP). (with -d ethertype==...)


So you want to use a capture filter for LACP traffic? Sure, use the -f option
with "ether proto 0x8809" as expression"


Thanks,
Jaap