Wireshark mailing list archives

Re: pcap / winpcap filters

From: Sake Blok <sake () euronet nl>
Date: Thu, 29 Apr 2010 17:46:18 +0200

My guess would be that all traffic is vlan-tagged on the mirror port. Could you try the filter "vlan and (port 53 or 
port 5060)"?

See also: http://wiki.wireshark.org/CaptureSetup/VLAN#head-6bf591391ffef059629a9eede2b4a3d83fdb215d

Cheers,


Sake


On 29 apr 2010, at 15:37, marco () marcomp it wrote:

Hi Lars,
     if I do not add any filter I can capture all the traffic ( that do not match as source / destination or both ) 
the mirroring port send me. While if I enable a filter ( like "igmp" for example )I can only see the traffic that can 
be accepted by the subnet I configure on my eth interface .....
  
Regards,
Marco
 
 
Da: wireshark-users-bounces () wireshark org
A: "Community support list for Wireshark" wireshark-users () wireshark org
Cc:
Data: Thu, 29 Apr 2010 15:03:20 +0200
Oggetto: Re: [Wireshark-users] pcap / winpcap filters

Hi,
That's not a problem. In **promsicous mode** (checked?), you will see any traffic coming out of the mirror port, 
regardless if it's on your local subnet or not.
Have you tried sniffing without any filter? Do you see the traffic of the other subnet then?
I suspect your problem is more related to your port mirroring setup than to Wireshark filters.

Regards,
Lars Ruoff


________________________________________
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of marco 
() marcomp it
Sent: jeudi 29 avril 2010 14:49
To: wireshark-users () wireshark org
Subject: Re: [Wireshark-users] pcap / winpcap filters

Hi,
    yes, that's what I did in the past but if I use this filter string I can only get the packet that lookup on my 
ethernet interface ....  while I need to see all the packets that are not send to / comes from my eth interface 
subnet .
 
I did a port mirroring on a Layer3 switch so on the mirroring  port I can see all the packets of some subnet and 
they will necessary not match my eth interface subnet .....


Thanks !
Marco

Da: wireshark-users-bounces () wireshark org
A: "Community support list for Wireshark" wireshark-users () wireshark org
Cc:
Data: Thu, 29 Apr 2010 14:09:46 +0200
Oggetto: Re: [Wireshark-users] pcap / winpcap filters

Hi,

Would that be a capture filter like: 'port 53 or port 5060'

Thanks,
Jaap

On Thu, 29 Apr 2010 11:39:17 +0200, "marco\@marcomp\.it"
wrote:

I need to filter some traffic (before capturing it) using the pcap /
winpcap filter but this traffic comes from some different subnet (
different from my eth interface subnet ).
So if I apply a filter the pcap show me the packet that can lookup on my
eth interface only ...
How can I get the filtered traffic that comes from "everywhere"
(0.0.0.0/0) ?

I need to filter the data traffic before sending it to whireshark

because

I only need to check the DNS and SIP traffic for a long time ( may be

for

more than 1 week )... so I don't want to store Gbyte and Gbyte of not
helpful data on my pc.....

Have you any suggestion ?


Marco

subscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via: Wireshark-users mailing list
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

pcap / winpcap filters marco () marcomp it (Apr 29)
- Re: pcap / winpcap filters Jaap Keuter (Apr 29)
- <Possible follow-ups>
- Re: pcap / winpcap filters marco () marcomp it (Apr 29)
  - Re: pcap / winpcap filters RUOFF, LARS (LARS)** CTR ** (Apr 29)
- Re: pcap / winpcap filters marco () marcomp it (Apr 29)
  - Re: pcap / winpcap filters Sake Blok (Apr 29)
- Re: pcap / winpcap filters marco () marcomp it (Apr 29)
  - Re: pcap / winpcap filters Maynard, Chris (Apr 29)
  - Re: pcap / winpcap filters Sake Blok (Apr 29)
- Re: pcap / winpcap filters marco () marcomp it (Apr 30)
  - Re: pcap / winpcap filters Sake Blok (Apr 30)