EAPOL capture filter not showing anything
Hi all. I need to capture all EAPOL traffic happening on one specific switch. Therefore I set up what follows.
- configured a mirror port (SPAN) on the switch.
- attached a notebook to this mirror port.
- started Wireshark 3.0.6 on this notebook and selected the Ethernet NIC
- on the switch I configured the mirror so that all switch ports (except for the uplinks and the one port where the Wireshark notebook is connected to) will mirror the traffic to the designated "mirror port"
- on Wireshark again, I set the capture filter to be "ether proto 0x888e" but it did not capture anything.
So, please: is anybody able to help me in this? I've read some threads also and even there, some people were reporting that they weren't able to set a capture filter for EAPOL.
Thanks in advance! Flavio.
See what you capture when you switch the capture filter around, try
not ether proto 0x0800to exclude all IPv4 traffic. If then you see EAPOL traffic it's actually there. It may be that since EAPOL is a link scope protocol the frames don't end up on the span.Hi Jaap, thanks for your reply. I was also suspecting that EAPOL packets would not reach the notebook with Wireshark, so I started the capture without any capture filter and I was seeing all the traffic. Then I set the display filter to "eapol" and after some time I saw EAPOL packets. So they are reaching the mirror/SPAN port.
Now I tried your suggestion: I set the capture filter to
not ether proto 0x0800
and started the capture. I do see lots of non-IPv4 traffic.
I've started Wireshark again with the "ether proto 0x888e" and I'll wait to see - maybe it was a hiccup on Wireshark on this computer?!
I'll report back... Thanks, Flavio.