This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

linux capture filter problems

0

Hi, i have some issues with capture filters not working on a Linux Server. Even a simple filter like "x.x.x.x" will cause no packets to be displayed. If i filter after capture using display filter it works fine "ip.addr==x.x.x.x". I have tried this on a different network interface on the same machine and found capture filters are working fine on that one. The only difference i can think of between those 2 interfaces is that the first one has a lot of traffic on it (250Mbps+). Has anyone else faced a similar problem or knows of certain limitations for capture filters? thanks!

asked 29 Aug '11, 23:34

menumorut's gravatar image

menumorut
1111
accept rate: 0%

After answering your question, I saw that it was deleted. I think this can be a useful question/answer to others, so I undeleted it. Please add the way you solved your issue as a comment.

(30 Aug '11, 00:35) SYN-bit ♦♦

One Answer:

1

"x.x.x.x" is not a valid capture filter, you will have to use "host x.x.x.x", but assuming you did indeed use "host x.x.x.x" the problem might be that your packets are encapsulated. This can be either by vlan-tagging, pppoe, mpls etc.

Please capture a few packets without filter, then use the display filter and look for vlan-tagging or a protocol between the ethernet and the ip layer.

If the packets are vlan-tagged, then you can use "vlan and host x.x.x.x" as a capture filter. For other protocols it depends on the protocol what kind of filter you may need to use.

answered 30 Aug '11, 00:16

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%