This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm not sure what I'm doing wrong. I have my router configured to use rpcapd. I can connect using the remote interface dialogue box & see a list of interfaces on the router. Previously, I was able also to input a capture filter "host 192.168.1.53 or host 192.168.1.65" but now, whenever I enter this, or even a single "host 192.168.1.53", the capture filter portion gets greyed out in red as through the syntax is wrong & the start button is de-activated.

I can't think what could have changed or what I'm doing wrong? Any suggestions? Apologies in advances for noob issues.

asked 10 Nov '16, 14:49

Madumi's gravatar image

Madumi
6113
accept rate: 0%

I don't dare yet to post this as an answer as I have never seen the remote interface dialogue box, but the new start page of Wireshark wants you to select one or more interfaces before starting to fill the capture filter form field. Each of the interfaces may have its own capture filter, but only the one for the selected interface is shown in the capture filter field.

Try that there in the remote interface dialogue box and let me know if it worked, if so, I'll make it an answer.

(10 Nov '16, 14:54) sindy

Thanks for the reply sindy.

Sadly that doesn't seem to help. Whether I try to write the capture filter in the remote capture dialogue box, or whether I try to write it in the main screen after selecting for eg. the br0 interface (see screen capture), the filter is greyed out in red.

What vexes me is that it worked the first few times I tried it. Now however, it doesn't seem to accept the filters I'm tying in.

Any ideas?

(10 Nov '16, 21:18) Madumi

Wilde guess: did you previously capture (without filter) first and then added a filter for subsequent capture?

(10 Nov '16, 22:19) Jaap ♦

Yes, I tried capturing without a filter first (it captures traffic from all the IP's without any problem)... I've tried starting it different ways, together with stopping rpcapd & restarting...

(10 Nov '16, 22:57) Madumi

For what it's worth, I tried re-installing wireshark & erasing preferences, but it still seems to be having the same problem. Is the syntax host 192.168.1.53 somehow wrong?

(11 Nov '16, 03:42) Madumi

OK, this has got to sound weird...

I found a "fix" by:

  1. selecting only one interface (eg. br0)
  2. exiting from the capture interfaces dialogue box,
  3. turning caps lock on and off
  4. capture filters now turned green...

Not sure why this could have fixed the bad syntax block, but it's working. Hope it helps someone else :)

permanent link

answered 11 Nov '16, 23:35

Madumi's gravatar image

Madumi
6113
accept rate: 0%

edited 12 Nov '16, 09:22

Jaap's gravatar image

Jaap ♦
11.7k16101

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×184

question asked: 10 Nov '16, 14:49

question was seen: 4,050 times

last updated: 12 Nov '16, 09:22

p​o​w​e​r​e​d by O​S​Q​A