This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

PC 'A' is an old XP machine monitoring my internal WiFi network and helping debug what PC 'B' is doing (Wireshark 1.6.2 on Ubuntu 11.10).

Both Wiresharks are in promiscuous capture.

I want to see UDP packets on a specific port directed at PC B, plus an ICMP packet that B sends in response, AND any packets that B sends prior to the received UDP packet (to track down a Firewall problem).

Using Wireshark on PC B I 'know what to expect' for most of the time (ie once Wireshark is started, just missing the initial boot etc); which is how I know there are things 'missing' from the trace on PC A.

If I use (on PC A) the capture filter 'ip proto 1 or ip proto 17' I see MOST (but not all) of the incoming UDP and outgoing ICMP.

If I add 'or (ether host ab:cd:ef:gh:ij:kl and not ether proto 0x0806)' to the capture filter string, I do not see the incoming UDP anymore (looks like I see only packets sent by the specified host).

If, instead, I add 'or dst net 224.0.0.0' then I see most of the incoming UDP, & corresponding ICMP, and any IP multi-cast traffic that is sent....but I am missing (by design) any other traffic sent by PC A.

I saw in the forum a post re special form of display filter (on source IP) needed when traffic is captured from a WiFi interface... ? is there an equivalent that is needed to get the capture filter to work as desired on WiFi?

OR is my capture filter design/syntax OK, and the missing packets due to bad WiFi, incapable old hardware etc etc ??

OR is this a known bug/issue with such an old version of Wireshark ? (I looked at upgrade a while back and think I concluded 'not possible without OS upgrade..)

thanks in advance,,,

asked 15 Jun '13, 17:03

charlieS's gravatar image

charlieS
1222
accept rate: 0%

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×184
×14

question asked: 15 Jun '13, 17:03

question was seen: 1,367 times

last updated: 15 Jun '13, 17:03

p​o​w​e​r​e​d by O​S​Q​A