Ethereal

Re: [Ethereal-users] Capture without filter works fine, capture with filter doesn't
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: March 2005

 

any vlan tags?

if so you have to add to the filter the vlan in which to find the IP.

example:
"vlan 123 and host 1.2.3.4"




On Thu, 3 Mar 2005 09:56:24 -0800 (PST), Edward VanDewars
<gt4200b@xxxxxxxxx> wrote:
> I'm running ethereal 0.10.9 on an interface attached
> to a mirror port on a switch.  I can capture data just
> fine if I do a capture by interface for the interface
> on the mirrored port.  However, if I want to do any
> type of capture filter then nothing will capture.
> 
> For example, I do an interface capture on the mirrored
> interface, eth1, and see that there is a LOT of
> traffic to IP address 1.2.3.4 so I attempt to do a
> capture (on the mirrored interface, eth1) with a
> capture filter of "host 1.2.3.4" and get nothing.
> I've tried starting ethereal with "-i eth1" with the
> same results.
> 
> I suspect this is actually not an ethereal issue, as
> tcpdump exhibits the same behavior.  "tcpdump -i eth1"
> returns all expected traffic (including LOTS of
> traffic to 1.2.3.4) but "tcpdump -i eth1 host 1.2.3.4"
> returns nothing no matter how long I wait (although
> upon ctrl-c it does report packets received by
> filter).
> 
> In both cases I can capture traffic to and from the
> local host on the other nic (eth0) using filters.
> 
> I'm running ethereal 0.10.9, tcpdump 3.8.3, and
> libpcap  0.8 on linux (Debian/testing) (all are Debian
> packages, nothing custom built) with kernel 2.6.10.
> The nic on the mirror port is an Intel pro/1000.
> 
> Any ideas or suggestions would be greatly appreciated.
>  I am currently working around the issue by capturing
> everything and then filtering using display filters
> but the captures are getting too large.
> 
> Thanks in advance.
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 


-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.