This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is the capture filter for getting both Syslog and ICMP Captures?

asked 24 May '17, 09:51

praveen453's gravatar image

praveen453
6113
accept rate: 0%


Assuming that Syslog is transported over UDP port 514:

udp port 514 or icmp

permanent link

answered 24 May '17, 13:47

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

No, I tried above command before but it is giving only syslog capture but not both as the function is "or", i used below command udp dst port 514 or icmp

(24 May '17, 23:10) praveen453

Well, this is the BPF (for Ethernet) if you're interested:

(000) ldh      [12]
(001) jeq      #0x86dd          jt 2    jf 6
(002) ldb      [20]
(003) jeq      #0x11            jt 4    jf 16
(004) ldh      [56]
(005) jeq      #0x202           jt 15   jf 16
(006) jeq      #0x800           jt 7    jf 16
(007) ldb      [23]
(008) jeq      #0x11            jt 9    jf 14
(009) ldh      [20]
(010) jset     #0x1fff          jt 16   jf 11
(011) ldxb     4*([14]&0xf)
(012) ldh      [x + 16]
(013) jeq      #0x202           jt 15   jf 16
(014) jeq      #0x1             jt 15   jf 16
(015) ret      #262144
(016) ret      #0

Maybe, when looking at the frame, you can figure out why it's not working for you. If VLAN is involved prefix the filter with the vlan keyword.

(25 May '17, 07:56) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×74
×23
×10

question asked: 24 May '17, 09:51

question was seen: 946 times

last updated: 25 May '17, 07:56

p​o​w​e​r​e​d by O​S​Q​A