Wireshark · Wireshark-users: Re: [Wireshark-users] [Wireshark-dev] capture filter issue

Wireshark-users: Re: [Wireshark-users] [Wireshark-dev] capture filter issue

From: Sake Blok <sake@xxxxxxxxxx>

Date: Mon, 19 Jul 2010 18:53:38 +0200

Update from a personal mail-exchange between Upendra and me (because of the confidentiality of the data), but maybe useful for others as well:


> Please find the attached file, in this ip addresses are different, in
> that file you can find with filter and with out filter packets.

The packets you are interested in are Q-in-Q tagged, which means they have 2 layers of 802.1Q tags (in one direction, the other direction is just 802.1Q tagged). You need to incorporate that in your capture filter, which can be tricky. If you want to filter for untagged, 802.1Q tagged and Q-in-Q tagged packets, you must do something like:

host 10.102.53.1 or (vlan and (host 10.102.53.1 or (vlan and host 10.102.53.1)))

(I had to do some testing on your files myself to make this work actually :-) )

Cheers,


Sake

Prev by Date: [Wireshark-users] network monitor 3.3 traces cannot be read
Next by Date: Re: [Wireshark-users] network monitor 3.3 traces cannot be read
Previous by thread: Re: [Wireshark-users] network monitor 3.3 traces cannot be read
Next by thread: [Wireshark-users] Trouble with "contains" filter!
Index(es):
- Date
- Thread