PC 'A' is an old XP machine monitoring my internal WiFi network and helping debug what PC 'B' is doing (Wireshark 1.6.2 on Ubuntu 11.10). Both Wiresharks are in promiscuous capture. I want to see UDP packets on a specific port directed at PC B, plus an ICMP packet that B sends in response, AND any packets that B sends prior to the received UDP packet (to track down a Firewall problem). Using Wireshark on PC B I 'know what to expect' for most of the time (ie once Wireshark is started, just missing the initial boot etc); which is how I know there are things 'missing' from the trace on PC A. If I use (on PC A) the capture filter 'ip proto 1 or ip proto 17' I see MOST (but not all) of the incoming UDP and outgoing ICMP. If I add 'or (ether host ab:cd:ef:gh:ij:kl and not ether proto 0x0806)' to the capture filter string, I do not see the incoming UDP anymore (looks like I see only packets sent by the specified host). If, instead, I add 'or dst net 224.0.0.0' then I see most of the incoming UDP, & corresponding ICMP, and any IP multi-cast traffic that is sent....but I am missing (by design) any other traffic sent by PC A. I saw in the forum a post re special form of display filter (on source IP) needed when traffic is captured from a WiFi interface... ? is there an equivalent that is needed to get the capture filter to work as desired on WiFi? OR is my capture filter design/syntax OK, and the missing packets due to bad WiFi, incapable old hardware etc etc ?? OR is this a known bug/issue with such an old version of Wireshark ? (I looked at upgrade a while back and think I concluded 'not possible without OS upgrade..) thanks in advance,,, asked 15 Jun '13, 17:03 charlieS |