Wireshark-users: Re: [Wireshark-users] capture filter to isolate one router's traffic from all
On Fri, Feb 08, 2008 at 12:32:34PM -0500, Matthew Moeller wrote:
>
> I have a spanned port which spans 3 edge segments to our network. I'm
> trying to create a filter which would isolate traffic from one of the three
> edge routers that feed this port, can this be done?
>
> I tried the filter: gateway host <host> in the help section of the windows
> version but can't seem to get the syntax correct. Wireshark itself rejects
> my attempts upon start of capture. It seems to need a hostname (not ip
> addy) in the <host> argument. Is it that this can only be used with
> something along the lines of a proxy server and not a router?
The "gateway <host>" is specifically for a router and not for a proxy
server. If you take a look at: http://www.tcpdump.org/tcpdump_man.html :
gateway host
True if the packet used host as a gateway. I.e., the Ethernet
source or destination address was host but neither the IP source
nor the IP destination was host. Host must be a name and must be
found both by the machine's host-name-to-IP-address resolution
mechanisms (host name file, DNS, NIS, etc.) and by the machine's
host-name-to-Ethernet-address resolution mechanism
(/etc/ethers, etc.). (An equivalent expression is
ether host ehost and not host host
If you can't resolve the hostname to an ip-address or the ip-address
is not in the arp table (which might be true if you're attching the
Wireshark system on a span-port), you might not want to rely on
the L3 and L2 lookups and fill in the blanks yourself.
So if you want to collect only packets from router, you will have
to use something like:
"ether host <mac-address-of-router1> and not host <ip-address-of-router1>"
Hope this helps,
Cheers,
Sake