I'm trying to capture RTP traffic from one of my IP phones. When I run wireshark on the server connected to a span port I can easily see the RTP traffic. Unfortunately when I use capture filter like this: host 192.168.9.4 where the given IP is the address of my IP phone it doesn't display RTP traffic at all (just some ARP traffic). Actually when I use any capture filter at all (even just "udp") it cuts almost all traffic. I know wireshark itself is ok because when I connect my laptop with the same version of wireshark to the same span port - it works just fine. Is possible that there's some other driver on the server that is conflicting with the pcap driver installed with wireshark? asked 07 Mar '12, 00:15 kyrisu |
One Answer:
Most likely, your server does not strip the vlan tags from the frames (while your laptop does). This means you need to change the capture filter to:
to capture all traffic to and from host 192.168.9.4. You can check whether there are vlan tags in your packets by capturing without a filter and then look at the ethernet details is there is a vlan tag present. See also: http://wiki.wireshark.org/CaptureSetup/VLAN#Capture_filters answered 07 Mar '12, 02:55 SYN-bit ♦♦ |
Thank you that was exactly the issue :) Is there a way to force winpcap to catch vlan traffic by default? I'm using an app that has hardcoded capture filter.
If the application uses a hardcoded capture filter, then you will have to make sure that WinPcap does not see vlag tags. You might be able to configure your NIC driver to strip them (which most NIC drivers do by default). This can be doen either in the normal settings or the registry. Have a look at the other information on the above-mentioned wiki-page and/or contact your NIC vendor :-)