Wireshark-users: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark
From: Mitsuho Iizuka <m-iizuka@xxxxxxxxxxxxx>
Date: Thu, 28 Jun 2007 17:54:01 +0900 (JST)
Hi,

> From: Sake Blok <sake@xxxxxxxxxx>
> Subject: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark ?
> Date: Thu, 28 Jun 2007 10:20:17 +0200
> 
> > Healthchecks doen by LB's are usually done from their own IP-address
> > while production traffic is either from the client-ip or the NATted
> > address, which is usually different from the address that the health
> > checks are sent from. But... this varies per LB-brand. If they
> > are different, you can filter on the ip-addresses. Please note
> > that you can use a filter like "!ip.addr==<ip-healtchchecks>"
> 
> Ummm ...I'm fool...
> Yes, Those are only 4 IPs. I will do it.

No! No! All the packets to the LDAP server come from LB including
helth check packets.

LB substitutes all the incoming MAC addresses as well. Does anyone
know awk/grep like editcap tool to accept a complex script ?

> > If you have a complex filter and you are using tshark from unix (or cygwin),
> > you could have the filter in a file and do:
> > 
> > tshark -r <in-file> -w <out-file> -R "`cat <filter-file>`"

Now for the time being, I will try this. This is linux box.

Regards,
// Mitsuho Iizuka
// AP Server Grp., 2nd System Software Div.,
// System Software Opr.Unit, IT Platform Biz.Unit, NEC Corp.
// Phone:+81-3-3456-4322