This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark crashes while building Capture Filter

0

Every time I try to build this Capture Filter Wireshark crashes with this error from Windows 7: The Filter is:" not ether host xx.xx.xx.xx.xx.xx " where the x's are my ipv6 address. The crash always happens when I reach this point: "not ether host xxxx::" entering the second colon. The error I get from Windows 7 64bit is:"Runtime Error Program:C:\Progam Files\Wireshark\Wireshark.exe. This program has requested the Runtime to terminate in an unusual way." Any information on what I may be doing wrong would be appreciated. Thanks

asked 19 Jan '14, 08:41

Strydr's gravatar image

Strydr
11114
accept rate: 0%

edited 19 Jan '14, 08:43

3 Answers:

2

not ether host needs to be followed by an address in ethernet format nn:nn:nn:nn:nn:nn

To capture all traffic other than to a specific IPV6 host you need to use

not host nnnn::...

In any case, not ether host nnnn:: should not cause a crash.

It would be appreciated if you could file a bug at bugs.wireshark.org (Thanks)

answered 19 Jan '14, 09:19

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 19 Jan '14, 09:28

Thanks for the quick answer I'll file a report as soon as possible.

(19 Jan '14, 16:16) Strydr

2

This is a libpcap bug, fixed in this commit; it's fixed in libpcap 1.5.1 and later, but, unfortunately, there's no version of WinPcap based on that version of libpcap.

The workaround is to specify MAC addresses as xx:xx:xx:xx:xx:xx, not as IPv6 addresses; the fix means that you will get an error if you specify them as IPv6 addresses, so you still won't be able to do that, it just means that programs using libpcap/WinPcap will tell you "that doesn't work" rather than just crashing.

So don't say "not ether host xxxx:: ...".

answered 19 Jan '14, 15:15

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks for the great answer. It's good to know the why's of a problem, plus a work around. So if I don't want this problem and I want to use the Filter with my syntax I should be in a Linux distro.

(19 Jan '14, 16:40) Strydr

No.

If you are using a UN*X (Linux distribution, *BSD, OS X, whatever) with a libpcap prior to 1.5.1, you'll get a crash if you use "not ether host xxxx::...", just as you do on Windows.

If you are using a UN*X (Linux distribution, *BSD, OS X, whatever) with libpcap 1.5.1 or later, you'll get an error message if you use "not ether host xxxx::...".

If you want to filter out a given MAC address, use "not ether host xx:xx:xx:xx:xx:xx", where "xx:xx:xx:xx:xx:xx" is the MAC address you want to filter out.

If you want to filter out a given IPv6 address, use "not host xxxx::..." or "not ip6 host xxxx::...", where "xxxx:..." is the IPv6 address you want to filter out.

(19 Jan '14, 16:47) Guy Harris ♦♦

1

The filter ether host ... is for mac address filtering. For IP address filtering use host ....

Admittedly it would be handy if Wireshark didn't crash when an incorrect filter is entered. Please raise a bug for this on the Wireshark Bugzilla.

answered 19 Jan '14, 09:25

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks for the quick answer. I must say that is the quickest I have ever received an answer in any Forum. I'll try using that syntax and see what happens.

(19 Jan '14, 16:00) Strydr