Ask Your Question
0

aix iptrace capture filters

asked 2018-01-06 21:04:37 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I am analyzing an Aix iptrace which was ftp'd to my windows10 laptop from the AIX instance where it was taken. Wireshark is running on my wndows 10. I open the iptrace in wireshark (OK) . Where I'm lost is on setting up the capture filters. Two key points (1) wireshark seems to be presenting the LOCAL ethernet interfaces on my windows system whereas I'm interested in filtering the IP trace file to identify dropped packets. (2) In the capture options pane I type in arguments given me by IBM support (who are experienced wireshark users) .. Both options begin with 'tcp'' . But anything I type after tcp causes the pane to turn from green ( tcp only entered) to red ( tcp.x.y_z) .. When red , the start button is grayed out and I cannot start the analysis.

edit retag flag offensive close merge delete

Comments

Are you trying to read an existing capture file made with iptrace, are you trying to perform a new capture with Wireshark rather than iptrace, or are you trying to do both?

Guy Harris gravatar imageGuy Harris ( 2018-01-06 21:17:16 +0000 )edit

I'm afraid it is merely the case of mixing up capture filters and display filters. The OP has stated that an existing capture has been uploaded to the machine where he uses Wireshark. The tcp\..* syntax of suggested filter conditions supports this assumption.

So the only thing which puzzles me is how a capture filter field can remain accessible once a capture file has been already loaded.

Can you place here a screenshot of the Wireshark window where you try to enter the capture filter? Because it seems that you either have not loaded the capture file at all, or you went Capture->Capture filters in the menu which takes you to a capture filter manager which is not relevant to an already open capture file.

So after opening the file, fill your filter expressions into the display filter field right below the menu icons, and press the arrow at ...(more)

sindy gravatar imagesindy ( 2018-01-07 09:54:10 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-01-07 09:43:52 +0000

Jaap gravatar image

We'll need to go back to the basics for this. Wireshark has one way to get to show you packets; reading them from a file. While reading them from a file you can apply display filters, which allows you to limit what's shown.

To get packets into a capture file to be shown, Wireshark offers you the capability to capture packets from interfaces. While capturing you can apply capture filters, which allows you to limit what's getting saved in the capture file.

I think you're confusing the two cases, you're clearly dealing with the first while trying to work the second. It seems that the filter expressions given to you are display filter expressions, so they should be entered in the display filter text box. When that AIX iptrace file is loaded you would get a filtered view of the packets in there when applying the display filter.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2018-01-06 21:04:37 +0000

Seen: 1,185 times

Last updated: Jan 07 '18

Related questions

Can't capture TLS certificate

Can I create a capture filter on a pcap file

Resolve frame subtype and export to csv

Capture Filter Dialog Does Not Appear

I have list of filters to be verified against single wire-shark capture , how to do that ?

Configuring Filters Help Please

cannot find "Compare two capture files"

Is it possible to test a capture filter with already captured traffic?

How would I map this display filter to a capture filter?

Wireshark capture with ET2000