tshark strange behavior with capture filter
Hi,
I have some strange behavior of tshark:
On my PC, I'm executing tshark -i 5 port 1900
and I see some data.
On lab's PC, I'm executing tshark -i 5 port 1900
and I see some data. (interface #5 is internal network).
On lab's PC, I'm executing tshark -i 2
and see all the stream including 224.1.1.1
. Executing tshark -i 2 -f "port 30000"
I don't see any data (port 30000
is one of the ports which is going alongside with 224.1.1.1
).
Same for tshark -i 2 port 1900 -f "host 224.1.1.1"
and tshark -i 2 port 30000
What I'm doing wrong?
P.S I'm working with Win7
EDIT: when I'm using display filter, I can see the data, but I'd like to use the capture filter in order to reduce some traffic handling. When I'm using same capture filter in wireshark - I have same issue like above
224.1.1.1
would typically be a multi-cast address. What protocol are you looking for?UDP. On top of it I have my custom dissector
Any VLAN tags involved?
@Jaap, nope
So if you capture without a filter, you see traffic to and from port 30000, but if you capture with "port 30000", you don't?
@Guy Harris Right
Can you show Wireshark's detailed dissection of one of those packets? You don't need to show anything after the UDP layer.
Unfortunately I can't. This is in my internal network. But please have a look on the edit. "when I'm using display filter, I can see the data, but I'd like to use the capture filter in order to reduce some traffic handling. When I'm using same capture filter in wireshark - I have same issue like above"
Wireshark has two filtering languages: capture filters and display filters. They're apples and oranges apart done by two different code bases.
That gives no additional information. At this point, I need to see at least some of the raw data in the packet in order to even try to guess what might be causing this.
I don't need all the information - you can censor MAC addresses and IP addresses, but I need to see, at minimum:
@Guy Harris - Ethernet. The 2 Bytes are 0x0800 (IPv4)
So the first 14 bytes of the packet are XX XX XX XX XX XX XX XX XX XX XX XX 08 00, with the XX's being the destination and source MAC addresses? And what comes after that is an IPv4 packet with a protocol ID field of 17 (for UDP), followed by a UDP header with a source or destination port number of 30000?
And those packets are captured without the "port 30000" filter but aren't captured with that filter?
Are you using WinPcap or Npcap with Wireshark? If it's Npcap, what version of Npcap is it?