Andrew Daviel
2014-06-23 23:42:24 UTC
We have a machine set up with an interface connected to a mirror port on a
network router. On the router, multiple VLANs are mirrored to the same
port.
Until recently, we had an ancient machine running RedHat Linux 7.3,
with Linux 2.4.20, tcpdump-3.6, libpcap-0.6 and an optical gigabit
interface.
We could capture packets with e.g. "tcpdump -i eth1 -w eth1.cap"
and then replay them with e.g.
"tcpdump -r eth1.cap vlan 901 and host 192.168.3.4".
Or we could capture live packets with e.g.
"tcpdump -i eth1 vlan 901 and host 192.168.3.4".
We replaced this with a newer machine with CentOS 6, Linux 2.6.32,
tcpdump-4.0.0, libpcap-1.4, wireshark-1.8.10.
On this machine we can capture as before, and then use a VLAN filter
during analysis with tcpdump or wireshark.
But if I use a VLAN filter during capture, no packets are matched.
Without the VLAN filter, all packets are matched, and I can filter by host
address etc. This is the same in tcpdump and wireshark.
How can I get the live capture filter to work ? I want to be able to look
at just one VLAN without having to build a complex ip address-based
filter.
network router. On the router, multiple VLANs are mirrored to the same
port.
Until recently, we had an ancient machine running RedHat Linux 7.3,
with Linux 2.4.20, tcpdump-3.6, libpcap-0.6 and an optical gigabit
interface.
We could capture packets with e.g. "tcpdump -i eth1 -w eth1.cap"
and then replay them with e.g.
"tcpdump -r eth1.cap vlan 901 and host 192.168.3.4".
Or we could capture live packets with e.g.
"tcpdump -i eth1 vlan 901 and host 192.168.3.4".
We replaced this with a newer machine with CentOS 6, Linux 2.6.32,
tcpdump-4.0.0, libpcap-1.4, wireshark-1.8.10.
On this machine we can capture as before, and then use a VLAN filter
during analysis with tcpdump or wireshark.
But if I use a VLAN filter during capture, no packets are matched.
Without the VLAN filter, all packets are matched, and I can filter by host
address etc. This is the same in tcpdump and wireshark.
How can I get the live capture filter to work ? I want to be able to look
at just one VLAN without having to build a complex ip address-based
filter.
--
Andrew Daviel, TRIUMF, Canada
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Andrew Daviel, TRIUMF, Canada
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe