This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture filter with port mirroring

1

I've been using tshark to capture packets coming off of a mirrored port so I can see everything that is coming in and going out of our network. I have the link to our ISP mirrored to a monitoring port where my computer that I use for monitoring is plugged into. I haven't had any problems with it when I don't have a capture filter. I see the traffic going both ways. However when I put a capture filter of: "tcp port 80" I only get traffic coming into our network, but nothing going out. Is that the way the capture filter is suppose to work? Is it only suppose to capture incoming packets to that port or is it possible to also show outgoing packets to the port as well. I get the same result whether I try the filter in tshark or wireshark. I'm running wireshark/tshark 1.2.8 so I'm going to update to 1.4.4. libpcap is 1.1.1 The box is running OpenSuse 11.3

Any comments/ideas would be appreciated.

Thanks.

asked 15 Apr '11, 11:28

bw447's gravatar image

bw447
21113
accept rate: 0%

One Answer:

1

If you don't use a capture filter, do the incoming and outgoing packets have the same protocol hierarchy? Is there one-way vlan-tagging, pppoe maybe? A capture filter looks at specific offsets in the packet for tcp port numbers. The offset is dependable on the previous protocol layers. So if the protocol layers differ for in the incoming and the outgoing packets, you need to make a capture filter that filters for both of them individually.

Please check the protocol hierarchy (and vlan tagging) and report so we can help you build a proper filter.

answered 15 Apr '11, 11:48

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for the questions/comments. I'm going to look into the captures that I have and post what I find.

Thanks again!

(18 Apr '11, 05:45) bw447

Update I took a look at a regular capture without any filters. Sure enough all traffic leaving our network is tagged with an vlan. However traffic entering our network doesn't have the tag. I'm going to dive into why it's a one way vlan, but I would like to find a filter that will work under this situation. Any ideas?

Thanks for the help SYNbit.

(18 Apr '11, 11:19) bw447
1

You can use a filter like:

"tcp port 80 or (vlan and tcp port 80)"

or in more general form:

"(<original filter>) or (vlan and (<original filter>))"

(please keep the order in this filter, as the keyword "vlan" shifts all offsets by 4 and would make the filter not work correctly if used first, see also http://wiki.wireshark.org/CaptureSetup/VLAN#Capture_filters

(18 Apr '11, 13:49) SYN-bit ♦♦

The filter works like a charm. Likes for your help SYNbit!

(19 Apr '11, 05:31) bw447