Wireshark-dev: Re: [Wireshark-dev] capture filter issue
Date: Mon, 19 Jul 2010 17:21:01 +0530
Hi Sake,

Thanks a lot for your prompt reply.
I already tried the following options

1. (host 172.16.59.240) or (vlan and (host 172.16.59.240)))
2. (net 172.16.59.0/24) or (vlan and (net 172.16.59.0/24)))

In both the above cases I am facing the same error, I can see only
incoming traffic. Where as with out these filters I can see both
incoming & outgoing traffic.
Is this behavior is because of unidirectional L2 tagging?

Regards,
Upendra

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Monday, July 19, 2010 5:02 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] capture filter issue

On 19 jul 2010, at 13:19, <upendra.allu@xxxxxxxxx>
<upendra.allu@xxxxxxxxx> wrote:

> When I am doing live capture with Wireshark using the "Capture filter"
option (host 172.16.59.240), my expectation is that I can able to see
both the to and from (source & dest) traffic with that ip address. But I
can see only incoming traffic (i.e. destination ip address only), it is
not showing any outgoing traffic from that ip address.
>
> If I remove that filter and start capturing, then I can see both
incoming and outgoing traffic with that ip address.
> I am doubting some setup problem in my Wireshark, but not sure where
to change.
> Can you please help me on this issue.

It could be that incoming traffic is not 802.1Q tagged, while outgoing
traffic is  802.1Q tagged, that all depends on where you are doing the
capture and what the L2 design is of that infrastructure.

The capture filter "host 172.16.59.240" will only match untagged
traffic. If you would also like to see the 802.1Q tagged traffic for
172.16.59.240, you need to specify a capture filter like this:

"host 172.16.59.240 or (vlan and host 172.16.59.240)"

Please note that the order in that filter is important. See also:
http://wiki.wireshark.org/CaptureSetup/VLAN#Capture_filters

Hope this helps,
Cheers,


Sake

PS  This can also happen on PPPoE networks or any other situation where
L2 tagging/encapsulation is done in one direction, but the most common
case is 802.1Q vlan-tagging



________________________________________________________________________
___
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

www.wipro.com