Hi, I want to capture packets going between a remote server in my VLAN and a remote subnet that is connected to the same core switch as my server. I also want to exclude any traffic coming from/to the server that I have Wireshark running on: Wireshark is on server: 10.250.255.241 I want to capture traffic between: 10.250.255.77 and the 10.100.100.xxx network I assumed that the capture filter would look like one of these: host 10.250.255.77 and net 10.100.100.0/24 or src net 10.100.100.100.0/24 and host 10.250.255.77 I'm also not sure how to exclude traffic from 10.250.255.241 The capture is not showing any traffic but there should be lots of traffic between that host and that network. What am I doing wrong? asked 08 Jun '15, 06:19 rdub15 |
One Answer:
This filter will capture bi-directional traffic between the server and network, while excluding the traffic from your Wireshark machine: host 10.250.255.77 and net 10.100.100 and !(host 10.250.255.241) answered 08 Jun '15, 07:35 Amato_C |
Thanks, Amato_C. The filter you wrote looks like it should work, but it still isn't. Is there anything else I'm not taking into consideration? I'm not very familiar with Wireshark but I know that traffic is passing between that server and that subnet. The server is a fax server and the subnet is for the VOIP switches. We are using FOIP and I know that faxes are being sent and received. I'm very confused as to why I can't capture the packets...
Let's start with the basics. Maybe your configuration is not correct to capture traffic. Please read the following Wiki: https://wiki.wireshark.org/CaptureSetup/Ethernet
I suspect you are capturing traffic on a switch port which has not been configured as a mirror port.