Re: pcap / winpcap filters

[Sake Blok <sake () euronet nl>]

On 30 apr 2010, at 09:13, marco () marcomp it wrote:

>     I did another test on that in order to show you better what's happen.
> I enable the mirroring functionality on a nat xDSL router and I start pinging a public ip address. I post the traffic 
> captured using the the pcap filter and without pcap filter. 
>  
> As you can see in the filter pcap file I ca't see the packet that start from my wan interface to the ip address I'm 
> pinging ... 

OK, that clears things up. The xDSL traffic that you want to see is encapsulated in PPPoE. Because of the PPPoE header 
wireshark needs to use a different offset to look for ip-addresses (in the same manner as it needs to be done for vlan 
tagged traffic, but with a different shoft in the offset). So you could use the filter:

"pppoes and (port 5060 or port 53)"

This filter will capture all the SIP and DNS traffic on the xDSL side. If you want to capture both LAN side and xDSL 
side traffic, make sure you place your LAN side filters first as the keyword pppoes will shift the offset permanently.

ie, use "port 5060 or port 53 or (pppoes and (port 5060 or port 53))" instead of "(pppoes and (port 5060 or port 53)) 
or port 5060 or port 53"

For a more technical insight, you could use "tcpdump -d <filter>" to see the compiled BPF filter that will be used 
(wireshark/tshark don't have the -d option) and you can see the difference between the two filters.

Cheers,


Sake

PS  If you want to capture for days, you'd better use dumpcap. Something like "dumpcap -s0 -w <file> -b filesize:16384 
-b files:64 "<filter>" to create a 1GB ringbuffer




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe