Re: src host capture filter not working

["Jeff Liegel" <jliegel () italkglobal com>]

Thank you for your suggestion but the results are the same:

 

[]# tshark -i eth1  -f "host 207.35.208.194"

Capturing on eth1

  0.000000  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1
bindings)

  1.174018  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1
bindings)

  2.144040  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1
bindings)

  3.442067  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1
bindings)

  3.446064  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1
bindings)

  5.314116  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK    (1
bindings)

 

________________________________

From: wireshark-users-bounces () wireshark org
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Forthofer
Russ
Sent: Tuesday, January 12, 2010 4:54 PM
To: 'Community support list for Wireshark'
Subject: Re: [Wireshark-users] src host capture filter not working

 

try -f "host 207.35.208.194".

         

        
________________________________


        From: wireshark-users-bounces () wireshark org
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Jeff Liegel
        Sent: Tuesday, January 12, 2010 5:36 PM
        To: wireshark-users () wireshark org
        Subject: Re: [Wireshark-users] src host capture filter not
working
        Importance: High

         

         

        
________________________________


        From: Jeff Liegel 
        Sent: Tuesday, January 12, 2010 4:28 PM
        To: 'wireshark-users () wireshark org'
        Subject: src host capture filter not working
        Importance: High

         

        Hi.  I desperately need to see packets coming from OR going to
ip 207.35.208.194 using capture filter

         

         

        Works fine with display filter only but this is a really busy
network and I need to ultimately save the capture to a file thus need a
capture filter.  

         

        []# tshark -i eth1 -R "ip.dst == 207.35.208.194 or ip.src ==
207.35.208.194"

        Capturing on eth1

         13.306484 207.35.208.194 -> 208.77.1.33  SIP Request: REGISTER
sip:proxyc11b.italkbb.com

         13.307911  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK
(1 bindings)

         20.787232 207.35.208.194 -> 208.77.1.33  SIP Request: REGISTER
sip:proxyc11b.italkbb.com

         20.788120  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK
(1 bindings)

         

         

         

        Just host should show packets both ways (like example above) and
does not 

         

        []# tshark -i eth1  host 207.35.208.194 

        Capturing on eth1

          0.000000  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK
(1 bindings)

          7.475218  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK
(1 bindings)

        6 packets captured

         

         

         

         

         

        Src host does not work but dst host does work

         

        []# tshark -i eth1 dst host 207.35.208.194 or src host
207.35.208.194

        Capturing on eth1

          0.000000  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK
(1 bindings)

          7.475218  208.77.1.33 -> 207.35.208.194 SIP Status: 200 OK
(1 bindings)

        6 packets captured

         

         

         

         

         

        This shows that src host does not work all by itself either

         

        []# tshark -i eth1  src host 207.35.208.194

        Capturing on eth1

        0 packets captured

         

         

         

         

         

        Here is my version stuff

         

         

         

        TShark 1.0.3

         

        Copyright 1998-2008 Gerald Combs <gerald () wireshark org> and
contributors.

        This is free software; see the source for copying conditions.
There is NO

        warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.

         

        Compiled with GLib 2.12.3, with libpcap 0.9.4, with libz 1.2.3,
without POSIX

        capabilities, with libpcre 6.6, with SMI 0.4.5, without ADNS,
without Lua, with

        GnuTLS 1.4.1, with Gcrypt 1.2.3, with MIT Kerberos.

         

        Running on Linux 2.6.18-92.1.22.el5, with libpcap version 0.9.4.

         

        Built using gcc 4.1.2 20071124 (Red Hat 4.1.2-42).

________________________________

The information contained in this e-mail and any accompanying documents
is intended for the sole use of the recipient to whom it is addressed,
and may contain information that is privileged, confidential, and
prohibited from disclosure under applicable law. If you are not the
intended recipient, or authorized to receive this on behalf of the
recipient, you are hereby notified that any review, use, disclosure,
copying, or distribution is prohibited. If you are not the intended
recipient(s), please contact the sender by e-mail and destroy all copies
of the original message. Thank you. 


-- 
This message has been scanned for viruses and 
dangerous content by MailScanner <http://www.mailscanner.info/> , and is

believed to be clean. 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe