On Apr 21, 2014, at 3:12 PM, Noam Birnbaum <noam@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> I posted this on the wiki but haven’t gotten much help.
>
> I'm trying to filter capture traffic. I want to see all LPD traffic to/from a particular printer. However, regardless of whether I use "host 1.2.3.4" or "tcp port 515", Wireshark captures only traffic originating from the printer; it doesn't capture traffic from the other side of the TCP connection.
>
> However, when I capture with no capture filters, both Tx and Rx are captured!
And, as per further comments on the Wiki, when you capture with no capture filters, and then use a *display* filter of "ip.addr == 1.2.3.4" or "tcp.port == 515", you see traffic from *and* to the printer.
So:
o do the packets going *to* the printer have the destination IP address of the printer (the one you replaced with "1.2.3.4" in your example)?
o do the packets going *to* the printer have a TCP destination port number of 515?
o do the packets going *to* the printer have an Ethernet type of 0x0800?
> I tested this also with tcpdump and got the same results: capture filters only show source traffic from the printer; unfiltered captures show everything.
Not surprising, given that Wireshark/dumpcap and tcpdump both use libpcap, so the capture code path is the same.
