This is a static archive of our old Q&A Site. Please post any new questions and answers at

How to troubleshoot wireshark when it doesn’t want to capture?


I'm trying to capture RTP traffic from one of my IP phones. When I run wireshark on the server connected to a span port I can easily see the RTP traffic. Unfortunately when I use capture filter like this:


where the given IP is the address of my IP phone it doesn't display RTP traffic at all (just some ARP traffic). Actually when I use any capture filter at all (even just "udp") it cuts almost all traffic.

I know wireshark itself is ok because when I connect my laptop with the same version of wireshark to the same span port - it works just fine.

Is possible that there's some other driver on the server that is conflicting with the pcap driver installed with wireshark?

asked 07 Mar '12, 00:15

kyrisu's gravatar image

accept rate: 0%

One Answer:


Most likely, your server does not strip the vlan tags from the frames (while your laptop does). This means you need to change the capture filter to:

vlan and host

to capture all traffic to and from host

You can check whether there are vlan tags in your packets by capturing without a filter and then look at the ethernet details is there is a vlan tag present.

See also:

answered 07 Mar '12, 02:55

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Thank you that was exactly the issue :) Is there a way to force winpcap to catch vlan traffic by default? I'm using an app that has hardcoded capture filter.

(07 Mar '12, 03:23) kyrisu

If the application uses a hardcoded capture filter, then you will have to make sure that WinPcap does not see vlag tags. You might be able to configure your NIC driver to strip them (which most NIC drivers do by default). This can be doen either in the normal settings or the registry. Have a look at the other information on the above-mentioned wiki-page and/or contact your NIC vendor :-)

(07 Mar '12, 03:33) SYN-bit ♦♦