Wireshark mailing list archives
Re: src host capture filter not working
From: "Jeff Liegel" <jliegel () italkglobal com>
Date: Tue, 12 Jan 2010 17:18:46 -0600
Thank you for your suggestion but the results are the same: []# tshark -i eth1 -f "host 207.35.208.194" Capturing on eth1 0.000000 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) 1.174018 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) 2.144040 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) 3.442067 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) 3.446064 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) 5.314116 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) ________________________________ From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Forthofer Russ Sent: Tuesday, January 12, 2010 4:54 PM To: 'Community support list for Wireshark' Subject: Re: [Wireshark-users] src host capture filter not working try -f "host 207.35.208.194". ________________________________ From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Jeff Liegel Sent: Tuesday, January 12, 2010 5:36 PM To: wireshark-users () wireshark org Subject: Re: [Wireshark-users] src host capture filter not working Importance: High ________________________________ From: Jeff Liegel Sent: Tuesday, January 12, 2010 4:28 PM To: 'wireshark-users () wireshark org' Subject: src host capture filter not working Importance: High Hi. I desperately need to see packets coming from OR going to ip 207.35.208.194 using capture filter Works fine with display filter only but this is a really busy network and I need to ultimately save the capture to a file thus need a capture filter. []# tshark -i eth1 -R "ip.dst == 207.35.208.194 or ip.src == 207.35.208.194" Capturing on eth1 13.306484 207.35.208.194 -> 208.77.1.33 SIP Request: REGISTER sip:proxyc11b.italkbb.com 13.307911 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) 20.787232 207.35.208.194 -> 208.77.1.33 SIP Request: REGISTER sip:proxyc11b.italkbb.com 20.788120 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) Just host should show packets both ways (like example above) and does not []# tshark -i eth1 host 207.35.208.194 Capturing on eth1 0.000000 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) 7.475218 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) 6 packets captured Src host does not work but dst host does work []# tshark -i eth1 dst host 207.35.208.194 or src host 207.35.208.194 Capturing on eth1 0.000000 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) 7.475218 208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK (1 bindings) 6 packets captured This shows that src host does not work all by itself either []# tshark -i eth1 src host 207.35.208.194 Capturing on eth1 0 packets captured Here is my version stuff TShark 1.0.3 Copyright 1998-2008 Gerald Combs <gerald () wireshark org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GLib 2.12.3, with libpcap 0.9.4, with libz 1.2.3, without POSIX capabilities, with libpcre 6.6, with SMI 0.4.5, without ADNS, without Lua, with GnuTLS 1.4.1, with Gcrypt 1.2.3, with MIT Kerberos. Running on Linux 2.6.18-92.1.22.el5, with libpcap version 0.9.4. Built using gcc 4.1.2 20071124 (Red Hat 4.1.2-42). ________________________________ The information contained in this e-mail and any accompanying documents is intended for the sole use of the recipient to whom it is addressed, and may contain information that is privileged, confidential, and prohibited from disclosure under applicable law. If you are not the intended recipient, or authorized to receive this on behalf of the recipient, you are hereby notified that any review, use, disclosure, copying, or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by e-mail and destroy all copies of the original message. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner <http://www.mailscanner.info/> , and is believed to be clean.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: src host capture filter not working Jeff Liegel (Jan 12)
- Re: src host capture filter not working Forthofer Russ (Jan 12)
- Re: src host capture filter not working Jeff Liegel (Jan 12)
- Re: src host capture filter not working Jeff Liegel (Jan 12)
- Re: src host capture filter not working Jeff Liegel (Jan 12)
- Re: src host capture filter not working Guy Harris (Jan 12)
- Re: src host capture filter not working Jeff Liegel (Jan 13)
- Re: src host capture filter not working Jeff Liegel (Jan 13)
- Re: src host capture filter not working Sake Blok (Jan 13)
- <Possible follow-ups>
- src host capture filter not working Jeff Liegel (Jan 13)
- Re: src host capture filter not working Forthofer Russ (Jan 12)