This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter hsrp

1

Hello,

I'm finding the capture filters utterly impenetrable. Could someone help me out please? - all I want to do is filter out HSRP packets (I'm capturing from a mirror port on a switch).

Thank you

asked 26 Jan '16, 07:14

Cauliflower's gravatar image

Cauliflower
16114
accept rate: 0%

One Answer:

2

Capture filters, as they have to run at high speed to not drop packets when capturing are thus simpler than display filters and have less "knowledge" about protocols and nothing at all about HSRP in particular.

What you can do, though is filter on those aspects of HSRP that capture filters can handle, e.g. the udp port or the mac address using a capture filter such as udp port 1985 or udp port 2029 or if that's too wide using ether[0:5] = 00:00:0c:07:ac or ether[7:5] = 00:00:0c:07:ac changing the partial MAC address for the variant of HSRP you're using.

answered 26 Jan '16, 07:50

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks, I'm giving this a try:

not udp port 1985 and not udp port 2029

(26 Jan '16, 08:46) Cauliflower

Ah, I misread the "filter out" bit. I think you might want to try the filter not(udp port 1985 or udp port 2029).

(26 Jan '16, 09:10) grahamb ♦
1

I would be careful with filtering packets out by MAC address prefix because if used alone, it would also be too wide in my understanding of how the HSRP works.

If I understand @Cauliflower right, (s)he wants to get rid only of the HSRP packets themselves (we might call it "HSRP management" traffic), while all the other packets to or from the HSRP virtual MAC address (which represents the IP of the virtual gateway) should most likely not be filtered out as they are the real traffic running through the gateway.

So my suggestion of the capture filter would be not(udp and dst host 224.0.0.2 and port 1985) for HSRPv1, and not (udp and (dst host 224.0.0.102 and port 1985) or (dst host ff02::66 and port 2029)) for HSRPv2.

And only if that is still too wide, add and ether[7]=0 and ether[8]=0 and ether[9]=0xc and ether[10]=0x9f and ether[11]&0xf0=0xf0 to the IPv4 part of the HSRPv2 filter, and accordingly modified expressions for HSRPv1 and/or the IPv6 part of HSRPv2 filter (different MAC addresses in both cases).

(26 Jan '16, 10:59) sindy

Thanks both, yes sindy is right, I want to exclude the HSRP 'management' traffic (Hello's etc) not traffic to/from the HSRP virtual IP/MAC.

I'll try not (udp and (dst host 224.0.0.102 and port 1985) or (dst host ff02::66 and port 2029))

(26 Jan '16, 12:32) Cauliflower