Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: src host capture filter not working

From: Forthofer Russ <Russ.Forthofer () ssfhs org>
Date: Tue, 12 Jan 2010 17:54:10 -0500
try -f "host 207.35.208.194".

________________________________
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Jeff 
Liegel
Sent: Tuesday, January 12, 2010 5:36 PM
To: wireshark-users () wireshark org
Subject: Re: [Wireshark-users] src host capture filter not working
Importance: High



________________________________
From: Jeff Liegel
Sent: Tuesday, January 12, 2010 4:28 PM
To: 'wireshark-users () wireshark org'
Subject: src host capture filter not working
Importance: High

Hi.  I desperately need to see packets coming from OR going to ip 207.35.208.194 using capture filter


Works fine with display filter only but this is a really busy network and I need to ultimately save the capture to a 
file thus need a capture filter.

[]# tshark -i eth1 -R "ip.dst == 207.35.208.194 or ip.src == 207.35.208.194"
Capturing on eth1
 13.306484 207.35.208.194 -> 208.77.1.33  SIP Request: REGISTER sip:proxyc11b.italkbb.com
 13.307911  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)
 20.787232 207.35.208.194 -> 208.77.1.33  SIP Request: REGISTER sip:proxyc11b.italkbb.com
 20.788120  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)



Just host should show packets both ways (like example above) and does not

[]# tshark -i eth1  host 207.35.208.194
Capturing on eth1
  0.000000  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)
  7.475218  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)
6 packets captured





Src host does not work but dst host does work

[]# tshark -i eth1 dst host 207.35.208.194 or src host 207.35.208.194
Capturing on eth1
  0.000000  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)
  7.475218  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1 bindings)
6 packets captured





This shows that src host does not work all by itself either

[]# tshark -i eth1  src host 207.35.208.194
Capturing on eth1
0 packets captured





Here is my version stuff



TShark 1.0.3

Copyright 1998-2008 Gerald Combs <gerald () wireshark org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.12.3, with libpcap 0.9.4, with libz 1.2.3, without POSIX
capabilities, with libpcre 6.6, with SMI 0.4.5, without ADNS, without Lua, with
GnuTLS 1.4.1, with Gcrypt 1.2.3, with MIT Kerberos.

Running on Linux 2.6.18-92.1.22.el5, with libpcap version 0.9.4.

Built using gcc 4.1.2 20071124 (Red Hat 4.1.2-42).


The information contained in this e-mail and any accompanying documents is intended for the sole use of the recipient 
to whom it is addressed, and may contain information that is privileged, confidential, and prohibited from disclosure 
under applicable law. If you are not the intended recipient, or authorized to receive this on behalf of the recipient, 
you are hereby notified that any review, use, disclosure, copying, or distribution is prohibited. If you are not the 
intended recipient(s), please contact the sender by e-mail and destroy all copies of the original message. Thank you.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: