Re: can't filter bidirectional traffic

[Guy Harris <guy () alum mit edu>]

On Apr 21, 2014, at 3:12 PM, Noam Birnbaum <noam () maccentricsolutions com> wrote:

> I posted this on the wiki but haven’t gotten much help.
>
> I'm trying to filter capture traffic. I want to see all LPD traffic to/from a particular printer. However, regardless 
> of whether I use "host 1.2.3.4" or "tcp port 515", Wireshark captures only traffic originating from the printer; it 
> doesn't capture traffic from the other side of the TCP connection.
>
> However, when I capture with no capture filters, both Tx and Rx are captured!

And, as per further comments on the Wiki, when you capture with no capture filters, and then use a *display* filter of 
"ip.addr == 1.2.3.4" or "tcp.port == 515", you see traffic from *and* to the printer.

So:

        o do the packets going *to* the printer have the destination IP address of the printer (the one you replaced 
with "1.2.3.4" in your example)?
        o do the packets going *to* the printer have a TCP destination port number of 515?
        o do the packets going *to* the printer have an Ethernet type of 0x0800?

> I tested this also with tcpdump and got the same results: capture filters only show source traffic from the printer; 
> unfiltered captures show everything.

Not surprising, given that Wireshark/dumpcap and tcpdump both use libpcap, so the capture code path is the same.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe