Re: [Wireshark-dev] capture filter issue

[Sake Blok <sake () euronet nl>]

Update from a personal mail-exchange between Upendra and me (because of the confidentiality of the data), but maybe 
useful for others as well:


> Please find the attached file, in this ip addresses are different, in
> that file you can find with filter and with out filter packets.

The packets you are interested in are Q-in-Q tagged, which means they have 2 layers of 802.1Q tags (in one direction, 
the other direction is just 802.1Q tagged). You need to incorporate that in your capture filter, which can be tricky. 
If you want to filter for untagged, 802.1Q tagged and Q-in-Q tagged packets, you must do something like:

host 10.102.53.1 or (vlan and (host 10.102.53.1 or (vlan and host 10.102.53.1)))

(I had to do some testing on your files myself to make this work actually :-) )

Cheers,


Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe