This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Need to filter based on “InDiscards”

0

Not having any luck trying to filter my capture down to InDiscards. I'm getting a lot of InDiscards on my Cisco 5505. I enabled port mirroring and ran the capture.

Any tips on how to find InDiscards in wireshark?

asked 20 Feb '15, 11:07

ParseMeHard's gravatar image

ParseMeHard
1111
accept rate: 0%


One Answer:

1

You will not be able to filter on In-Discards in Wireshark. In-Discards are valid inbound frames that are discarded by the switch because they do not need to be switched. See this web page for an explanation, including why In-Discards are not always a problem. (It's for a Catalyst 6500 series switch, but the principle is the same.) The discarded frames may or may not be in your capture, depending on where your capture point is.

You said you enabled port mirroring. If the port you mirrored would have been the egress port for the discarded frames, then they will not be in your capture because they will have been discarded at the ingress port. If the port you mirrored is the ingress port for those frames, then it depends on whether the Cisco switch performs the mirroring function before or after the discard function.

In-Discard is an action taken by the switch, not an attribute of the frame, which is why you can't identify or filter on them in Wireshark. Even if these frames are in your capture, because they haven't been discarded yet, there is nothing in the frame that tells you that the frame is going to eventually be discarded.

answered 20 Feb '15, 16:00

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

edited 20 Feb '15, 16:05