Wireshark mailing list archives
Re: conditional display filters on Wireshark?
From: Rogelio <scubacuda () gmail com>
Date: Tue, 19 Jul 2011 16:13:17 -0300
Chris Maynard wrote:
Yes, this is possible. Have a look here: http://wiki.wireshark.org/DisplayFilters http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
Thanks, Chris. Your URL was helpful in helping me determine unknown unicast traffic in an L2TPv2 tunnel.
What I did...display filter: !(eth.ig == 1) && !(eth.dst == Cisco_11:22:33) (to show unicast traffic that was coming from places other than the Cisco gateway ethernet MAC addr)
Then I'm drilling down from there to look more closely in that trafficdisplay filter: !(eth.ig == 1) && !(eth.dst == Cisco_11:22:33) && l2tp && arp (&& other stuff to narrow down this big list)
Once I find an interesting packet, then I see if it ever originated on my segment
e.g. display filter: eth.src == Apple_99:88:77If it doesn't, then I know that the unicast is a problem and that I could very well need some sort of a switch with UUFB (unknown unicast flood blocking).
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- conditional display filters on Wireshark? Rogelio (Jul 19)
- Re: conditional display filters on Wireshark? Chris Maynard (Jul 19)
- Re: conditional display filters on Wireshark? Rogelio (Jul 19)
- Re: conditional display filters on Wireshark? Chris Maynard (Jul 19)