Ask Your Question
0

Capture filter not filtering anything

asked 2019-08-29 18:37:45 +0000

wireavguy gravatar image

updated 2019-08-29 18:57:09 +0000

grahamb gravatar image

Hi there, I'm trying to capture traffic between two sets of two endpoints.

endpoint group 1 capture filter:

ether src 00:10:7f:ae:71:81 or ether dst 00:10:7f:ae:71:81 or ether src 00:10:7f:b0:96:47 or ether dst 00:10:7f:b0:96:47

I run this for about 1 minute and it produces a reasonably sized capture file that doesn't crash wireshark.

Endpoint group 2 capture filter:

ether src 00:10:7f:aa:b6:f0 or ether dst 00:10:7f:aa:b6:f0 or ether src 00:10:7f:ae:fd:07 or ether dst 00:10:7f:ae:fd:07

Within 10 seconds the capture file is about 15 gb. Wireshark does not handle this and crashes.

in both cases I'm only sending 2 interfaces to the span port. The endpoints are Crestron NVX modules sending a mixture of traffic but mostly udp multicast.

What I'm not understanding about either capture filter is that I'm still capturing traffic from other devices, even though I've specified that I only want to capture traffic to or from 2 specific devices.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-08-29 19:05:14 +0000

SYN-bit gravatar image

updated 2019-08-29 19:06:56 +0000

grahamb gravatar image

The way I would troubleshoot this is to make a small capture without capture filter (say 10000 packets) and then do the same with the capture filter. Have a look at the "Statistics -> Conversations" overview and check the "Ethernet" tab to see whether every packet has one of the mac addresses from your filter. I suspect that ine of the endpoints is sending a lot of data.

I'm trying to capture traffic between two sets of two endpoints.

If the purpose of your filter is to capture between two endpoints, the filter should have the form:

ether host <mac-addrsystem1> and ether host <mac-addr system2>

or

(ether src mac1 or ether dst mac1) and (ether src mac2 or ether dst mac2)

The filters you mentioned collect all packets that were either sent or received by either of those two hosts, independent of whom they were sending to or receiving from.

edit flag offensive delete link more

Comments

I would also add that you should use dumpcap rather than Wireshark when dealing with high traffic rates.

grahamb gravatar imagegrahamb ( 2019-08-29 19:08:22 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-08-29 18:37:45 +0000

Seen: 1,041 times

Last updated: Aug 29 '19