This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dumpcap filter doesn’t work on Windows 2012

0

Hi,

I recently installed the latest Wireshark & Winpcap on a Windows 2012 server. When I want to use the dumpcap command straight from the dos prompt and add a filter, it is not capturing any packets (while I know the filter should provide packets). There is no syntax error.

Same dumpcap under either W7 or W2008R2 works fine.

I tried to run the DOS box under admin rights, but no difference.

Any ideas?

Thanks Marc

asked 27 Jun '15, 14:41

mlaporte74's gravatar image

mlaporte74
11112
accept rate: 0%

Does WinDump work? Can Wireshark capture with the same filter? If not, this is probably a WinPcap problem.

(27 Jun '15, 15:00) Guy Harris ♦♦

What are your dumpcap CLI options and what is the output of dumpcap -D -M?

(27 Jun '15, 15:07) Kurt Knochner ♦

Hi,

Thanks for the responses so far. Here's the requested info...

Windump doesn't work on W2012, so I can't install this to test it with.

Yes, I can capture with Wireshark with the same filter, and get expected output.

E:\Program Files (x86)\Wireshark>dumpcap -i 1 -b duration:600 -f "host 172.23.66.83" -w "E:\Dumpfiles\capture.pcap"
Capturing on 'VLAN 194'
File: E:\Dumpfiles\capture_00001_20150629154350.pcap
Packets captured: 0
Packets received/dropped on interface 'VLAN 194': 0/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (0.0%)

E:\Program Files (x86)\Wireshark>dumpcap -D -M


    

  1. \Device\NPF_{175C0321-A028-4589-9373-70FAA304CE05}   VMware vmxnet3 virtual network device   VLAN 194        8       fe80::e03b:c307:2efc:2639,172.22.36.91        network
(29 Jun ‘15, 06:51) mlaporte74

Correction: I cannot use the capture filter on wireshark either.

If it’s a winpcap issue, what to do?

Using suggested filter (vlan and host) makes no difference

dumpcap -i 1 -b duration:600 -f “vlan and host 172.23.66.83” -w “E:\Dumpfiles\capture.pcap”

(29 Jun ‘15, 12:42) mlaporte74

One Answer:

0

The name of the interface (VLAN 194) implies, that there is a VLAN configured on that interface.

Please try the following:

dumpcap -i 1 -b duration:600 -f "vlan and host 172.23.66.83" -w "E:\Dumpfiles\capture.pcap"

Regards
Kurt

answered 29 Jun '15, 07:47

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%