[Ethereal-users] Capture without filter works fine, capture with filter doesn't

[Edward VanDewars <gt4200b@xxxxxxxxx>]

I'm running ethereal 0.10.9 on an interface attached
to a mirror port on a switch.  I can capture data just
fine if I do a capture by interface for the interface
on the mirrored port.  However, if I want to do any
type of capture filter then nothing will capture.

For example, I do an interface capture on the mirrored
interface, eth1, and see that there is a LOT of
traffic to IP address 1.2.3.4 so I attempt to do a
capture (on the mirrored interface, eth1) with a
capture filter of "host 1.2.3.4" and get nothing. 
I've tried starting ethereal with "-i eth1" with the
same results.

I suspect this is actually not an ethereal issue, as
tcpdump exhibits the same behavior.  "tcpdump -i eth1"
returns all expected traffic (including LOTS of
traffic to 1.2.3.4) but "tcpdump -i eth1 host 1.2.3.4"
returns nothing no matter how long I wait (although
upon ctrl-c it does report packets received by
filter).

In both cases I can capture traffic to and from the
local host on the other nic (eth0) using filters.

I'm running ethereal 0.10.9, tcpdump 3.8.3, and
libpcap  0.8 on linux (Debian/testing) (all are Debian
packages, nothing custom built) with kernel 2.6.10. 
The nic on the mirror port is an Intel pro/1000.

Any ideas or suggestions would be greatly appreciated.
 I am currently working around the issue by capturing
everything and then filtering using display filters
but the captures are getting too large.

Thanks in advance.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com