Re: src host capture filter not working

[Guy Harris <guy () alum mit edu>]

On Jan 12, 2010, at 2:35 PM, Jeff Liegel wrote:

> Hi.  I desperately need to see packets coming from OR going to ip 207.35.208.194 using capture filter
>
> Works fine with display filter only but this is a really busy network and I need to ultimately save the capture to a 
> file thus need a capture filter. 

The Wireshark display filter code, for the filter "ip.dst == 207.35.208.194 or ip.src == 207.35.208.194", looks for IP 
addresses wherever they appear in the packet.

The libpcap/WinPcap capture filter code, for the filter "host 207.35.208.194", generates BPF code that looks for IP 
addresses under the assumption that there are no VLAN headers.  The packets not being seen have VLAN headers.

The filter

        host 207.35.208.194 or (vlan and host 207.35.208.194)

(you will need to quote that if you put it on the command line) sees all the packets in the file; it will check for IP 
addresses with no VLAN headers or with one level of VLAN header.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe