 | 1 | initial version |
If I understand you correctly, you place a network TAP between a system and the switch/router it was connected to and connected a second system to the monitor port of the TAP to see the packets. This means all traffic between the monitored system and the switch/router should be visible on the monitoring system. The fact that you see the traffic when not using a filter seems to confirm this assumption.
So you also see the packets for IP x.x.x.x when not using a filter, but you don't see them when using the BPF filter host x.x.x.x. This means that the filter needs some adjustment. Usually when this happens, the traffic is encapsulated. The host x.x.x.x filter looks at offset 26 or offset 30 in the packet for the IP address.
When vlan tagging is used, there are 4 additional bytes between the ethernet header and the IP header. This means the BPF filter needs to know that there is a vlan tag present to change the offsets accordingly. You can do this with the filter vlan and host x.x.x.x.
Another option is that the traffic is PPPoE encapsulated, this means there is a PPPoE header and you can adjust the filter to pppos and host x.x.x.x.
If you capture without a filter, you can then look at all the headers to see if there was any encalsulation and then change your capture filter accordingly.
| | 2 | No.2 Revision |
If I understand you correctly, you place a network TAP between a system and the switch/router it was connected to and connected a second system to the monitor port of the TAP to see the packets. This means all traffic between the monitored system and the switch/router should be visible on the monitoring system. The fact that you see the traffic when not using a filter seems to confirm this assumption.
So you also see the packets for IP x.x.x.x when not using a filter, but you don't see them when using the BPF filter host x.x.x.x. This means that the filter needs some adjustment. Usually when this happens, the traffic is encapsulated. The host x.x.x.x filter looks at offset 26 or offset 30 in the packet for the IP address.
When vlan tagging is used, there are 4 additional bytes between the ethernet header and the IP header. This means the BPF filter needs to know that there is a vlan tag present to change the offsets accordingly. You can do this with the filter vlan and host x.x.x.x.
Another option is that the traffic is PPPoE encapsulated, this means there is a PPPoE header and you can adjust the filter to pppos pppoes and host x.x.x.x
If you capture without a filter, you can then look at all the headers to see if there was any encalsulation and then change your capture filter accordingly.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
