capture filter with port mirroring

1

I've been using tshark to capture packets coming off of a mirrored port so I can see everything that is coming in and going out of our network. I have the link to our ISP mirrored to a monitoring port where my computer that I use for monitoring is plugged into. I haven't had any problems with it when I don't have a capture filter. I see the traffic going both ways. However when I put a capture filter of: "tcp port 80" I only get traffic coming into our network, but nothing going out. Is that the way the capture filter is suppose to work? Is it only suppose to capture incoming packets to that port or is it possible to also show outgoing packets to the port as well. I get the same result whether I try the filter in tshark or wireshark. I'm running wireshark/tshark 1.2.8 so I'm going to update to 1.4.4. libpcap is 1.1.1 The box is running OpenSuse 11.3

Any comments/ideas would be appreciated.

Thanks.

asked 15 Apr '11, 11:28

bw447's gravatar image

bw447
21113
accept rate: 0%

One Answer:
oldestnewestmost voted
1

If you don't use a capture filter, do the incoming and outgoing packets have the same protocol hierarchy? Is there one-way vlan-tagging, pppoe maybe? A capture filter looks at specific offsets in the packet for tcp port numbers. The offset is dependable on the previous protocol layers. So if the protocol layers differ for in the incoming and the outgoing packets, you need to make a capture filter that filters for both of them individually.

Please check the protocol hierarchy (and vlan tagging) and report so we can help you build a proper filter.

link

answered 15 Apr '11, 11:48

SYN-bit's gravatar image

SYN-bit ♦♦
12.9k843182
accept rate: 19%

Thanks for the questions/comments. I'm going to look into the captures that I have and post what I find.

Thanks again!

(18 Apr '11, 05:45) bw447

Update I took a look at a regular capture without any filters. Sure enough all traffic leaving our network is tagged with an vlan. However traffic entering our network doesn't have the tag. I'm going to dive into why it's a one way vlan, but I would like to find a filter that will work under this situation. Any ideas?

Thanks for the help SYNbit.

(18 Apr '11, 11:19) bw447
1

You can use a filter like:

"tcp port 80 or (vlan and tcp port 80)"

or in more general form:

"(<original filter>) or (vlan and (<original filter>))"

(please keep the order in this filter, as the keyword "vlan" shifts all offsets by 4 and would make the filter not work correctly if used first, see also http://wiki.wireshark.org/CaptureSetup/VLAN#Capture_filters

(18 Apr '11, 13:49) SYN-bit ♦♦

The filter works like a charm. Likes for your help SYNbit!

(19 Apr '11, 05:31) bw447
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×228
×129

Asked: 15 Apr '11, 11:28

Seen: 2,208 times

Last updated: 19 Apr '11, 05:47

Related questions

capture filter does not filter

Capture filter does not work

How can I capture and summarize a whole day of traffic for a host?

linux capture filter problems

TCP flags capture filter

Capture Filter for DSCP 46

Where do you set capture filters in 1.8.2 ?

How to clean pcap of Youtube video stream from other protocols.

IPv6 address range filter

Capturing Over a Long Period of Time

about | faq | privacy | support | contact

powered by OSQA