Hello Wes,
Actually that was a very useful hint.
Because all the traps come from the same place, via a trap forwarder I
can apply
snmp.agent_addr ==192.168.0.0/16 or similar which means I can use a
couple of subnets and a few IPs and I have a display filter to suit.
Thanks!
I capture all the traps via tcpdump on a remote box (wiresshark install
not possible) and UDP port 162 and now I can filter out all the traps I
am interested in after loading the pcap file into wireshark.
On a related matter if i want to just capture events that meet a filter
like snmp.agent_addr ==192.168.0.0/16 what options do I have?
TIA
Tony
Date: Fri, 7 Aug 2009 06:06:51 -0700 (PDT)
From: Wes <wes_r@xxxxxxxxx>
Subject: Re: [Wireshark-users] How do I change the default capture
filter
To: Community support list for Wireshark
<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <919569.1830.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=iso-8859-1
You might be able to use masks to help narrow it down. For example:
ip.addr==192.168.0.0/16
Wes
--- On Fri, 8/7/09, Tony Barratt <tbarratt@xxxxxxxxxxx> wrote:
From: Tony Barratt <tbarratt@xxxxxxxxxxx>
Subject: Re: [Wireshark-users] How do I change the default capture filter
To: wireshark-users@xxxxxxxxxxxxx
Date: Friday, August 7, 2009, 3:28 AM
Interesting!
I would like to display filter on 200 known IPs, which if
not practical
in the GUI.
Could I put the filter into one of the dfiles found in the
filders tab?
Or is there perhaps a better way?
