Wireshark-users: Re: [Wireshark-users] pcap / winpcap filters
From: "marco\@marcomp\.it" <marco@xxxxxxxxxx>
Date: Thu, 29 Apr 2010 15:37:45 +0200
Hi Lars,
     if I do not add any filter I can capture all the traffic ( that do not match as source / destination or both ) the mirroring port send me. While if I enable a filter ( like "igmp" for example )I can only see the traffic that can be accepted by the subnet I configure on my eth interface .....
 
Regards,
Marco
 
 
Da: wireshark-users-bounces@xxxxxxxxxxxxx
A: "Community support list for Wireshark" wireshark-users@xxxxxxxxxxxxx
Cc:
Data: Thu, 29 Apr 2010 15:03:20 +0200
Oggetto: Re: [Wireshark-users] pcap / winpcap filters

> Hi,
> That's not a problem. In **promsicous mode** (checked?), you will see any traffic coming out of the mirror port, regardless if it's on your local subnet or not.
> Have you tried sniffing without any filter? Do you see the traffic of the other subnet then?
> I suspect your problem is more related to your port mirroring setup than to Wireshark filters.
>
> Regards,
> Lars Ruoff
>
>
> ________________________________________
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of marco@xxxxxxxxxx
> Sent: jeudi 29 avril 2010 14:49
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: Re: [Wireshark-users] pcap / winpcap filters
>
> Hi,
>     yes, that's what I did in the past but if I use this filter string I can only get the packet that lookup on my ethernet interface ....  while I need to see all the packets that are not send to / comes from my eth interface subnet .
>  
> I did a port mirroring on a Layer3 switch so on the mirroring  port I can see all the packets of some subnet and they will necessary not match my eth interface subnet .....
>
>
> Thanks !
> Marco
>
> Da: wireshark-users-bounces@xxxxxxxxxxxxx
> A: "Community support list for Wireshark" wireshark-users@xxxxxxxxxxxxx
> Cc:
> Data: Thu, 29 Apr 2010 14:09:46 +0200
> Oggetto: Re: [Wireshark-users] pcap / winpcap filters
>
> > Hi,
> >
> > Would that be a capture filter like: 'port 53 or port 5060'
> >
> > Thanks,
> > Jaap
> >
> > On Thu, 29 Apr 2010 11:39:17 +0200, "marco\@marcomp\.it"
> > wrote:
> > > I need to filter some traffic (before capturing it) using the pcap /
> > > winpcap filter but this traffic comes from some different subnet (
> > > different from my eth interface subnet ).
> > > So if I apply a filter the pcap show me the packet that can lookup on my
> > > eth interface only ...
> > > How can I get the filtered traffic that comes from "everywhere"
> > > (0.0.0.0/0) ?
> > >
> > > I need to filter the data traffic before sending it to whireshark
> > because
> > > I only need to check the DNS and SIP traffic for a long time ( may be
> > for
> > > more than 1 week )... so I don't want to store Gbyte and Gbyte of not
> > > helpful data on my pc.....
> > >
> > > Have you any suggestion ?
> > >
> > >
> > > Marco
> > >
> > subscribe
> > ___________________________________________________________________________
> > Sent via: Wireshark-users mailing list
> > Archives: http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe