Wireshark-users: Re: [Wireshark-users] capture filter to isolate one router's traffic from all
From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 8 Feb 2008 19:02:27 +0100
On Fri, Feb 08, 2008 at 12:32:34PM -0500, Matthew Moeller wrote:
> 
> I have a spanned port which spans 3 edge segments to our network.  I'm
> trying to create a filter which would isolate traffic from one of the three
> edge routers that feed this port, can this be done?
> 
> I tried the filter:  gateway host <host> in the help section of the windows
> version but can't seem to get the syntax correct.  Wireshark itself rejects
> my attempts upon start of capture.  It seems to need a hostname (not ip
> addy)  in the <host> argument.  Is it that this can only be used with
> something along the lines of a proxy server and not a router?

The "gateway <host>" is specifically for a router and not for a proxy
server. If you take a look at: http://www.tcpdump.org/tcpdump_man.html :

gateway host
    True if the packet used host as a gateway. I.e., the Ethernet
    source or destination address was host but neither the IP source 
    nor the IP destination was host. Host must be a name and must be 
    found both by the machine's host-name-to-IP-address resolution 
    mechanisms (host name file, DNS, NIS, etc.) and by the machine's 
    host-name-to-Ethernet-address resolution mechanism 
    (/etc/ethers, etc.). (An equivalent expression is

    ether host ehost and not host host

If you can't resolve the hostname to an ip-address or the ip-address
is not in the arp table (which might be true if you're attching the
Wireshark system on a span-port), you might not want to rely on 
the L3 and L2 lookups and fill in the blanks yourself.

So if you want to collect only packets from router, you will have
to use something like:

"ether host <mac-address-of-router1> and not host <ip-address-of-router1>"

Hope this helps,
Cheers,
    Sake