Ask Your Question
0

No packet with capture filter [closed]

asked 2021-06-24 19:06:43 +0000

MichaelP gravatar image

Hello community,

I want to capture traffic to internet with capture filter. For that I use a VLAN on a cisco switch with port mirror to the vlan, existing of only two ports. One port for ethernet output of a dsl-modem, one port to ethernet inferface o the internet router. When I start capturing I see all packets an can set a display filter which works. Stopping capturing and setting a capture filter, like port 5050, no more packet are captured. No tested capture filter will work.
What is wrong? Thanks for any help

Michael

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by MichaelP
close date 2021-07-04 14:51:57.616876

Comments

Are you setting the capture filter on the Welcome Screen ?
If so, select the interface to capture on then enter the capture filter.

Chuckc gravatar imageChuckc ( 2021-06-24 19:10:32 +0000 )edit

Hello Chuckc thanks for answer. I tried two ways First at wireshark start - selecting interface setting capture filter. Second way: at running wireshark - Option Capture - stopping capture - setting option with new filter, example port 5060 - restart capture. no packets in any way. Michael

MichaelP gravatar imageMichaelP ( 2021-06-24 19:18:11 +0000 )edit

Is there a VLAN header on the packets?
For testing, does a capture filter of vlan work?
What about vlan and port 5050 or vlan and port 5060 ?

Chuckc gravatar imageChuckc ( 2021-06-24 19:38:41 +0000 )edit

Hello Chuckc, same problem. The port on cisco switch are on vlan 3 as operational vlan. cisco mirror port shows traffic von vlan 3 Filter vlan dosen't work. Filter vlan 3 dosen't work Filter vlan 3 and port 5060 dosen't work Last line of wireshark screen says: Ethnert <live capture="" in="" progress=""> No packets. Switching off the capture filter all packets visible. Here I can set a dispaly filter like "sip" an this will filter all traffic on port 5060. Looking at a selectet packet in this case I can't see a information of vlan in the frame.

MichaelP gravatar imageMichaelP ( 2021-06-25 06:12:57 +0000 )edit

To the community,

could it be a problem of the protokoll or frames? Protokoll is PPPoE and frames are greater than 1500 bit. If it is so, how can I solve this?

MichaelP

MichaelP gravatar imageMichaelP ( 2021-06-25 06:43:44 +0000 )edit
see more comments

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-06-25 11:44:28 +0000

SYN-bit gravatar image

If the packets are PPPoE encapsulated, you need to use the filter pppoes and port 5060. This is because the BPF filter engine needs to look at other offset locations for the port numbers, due to the PPPoE headers.

Hope this helps, if not, could you post the hex data of one packet that was captured without capture filter?

edit flag offensive delete link more

Comments

Hello SYN-bit

thanks. Your help will work with wireshark 2.2.5 and pcap, but not with newest wireshark 3.4.6 and npcap. There must be changes for define capture filter and at time I can't find any information about. pppoes is not allowed as filter (red color), only ether proto 0x8846. If I add "&& port 5060" or "and port 5060" behind the filter is red an not workong. MichaelP

MichaelP gravatar imageMichaelP ( 2021-06-25 12:56:16 +0000 )edit

pppoes and port 5060 works for me (as in the capture filter is accepted and goes green) with npcap.

grahamb gravatar imagegrahamb ( 2021-06-25 13:20:08 +0000 )edit

@MichaelP Did you select the right interface before typing in the capture filter? As capture filters are Link-layer specific, you need to have an Ethernet interface selected before entering the capture filter.

SYN-bit gravatar imageSYN-bit ( 2021-06-25 13:34:08 +0000 )edit

When the filter box is red, what text is in the StatusBar?

It might be easier to test capture filters using tcpdump and a capture file, then move it to Wireshark when working. (Examples in this Gitlab issue)

Chuckc gravatar imageChuckc ( 2021-06-25 14:04:03 +0000 )edit

Hello to Community.

thanks all for your help. Yes, I select the interface before. I check diffrent sources in internet for building a capture filter and my filter dosen' work as expected. My last two actions: Test the filter by recommendet SYN-bit with wireshark 2.5.5 portable and pcap. Works excellent! Be informed that I used this filter before in my installation of wireshare 3.4.6 without any success. Next: Try wireshark 3.0.9 with npcap an filter pppoes && prt 5060. What surprise - it works. Same under wireshark 3.4.6 with npcap dosen't. So is the question: New feature or bug. But my problme is now solved. Thanks again. MichaeP

MichaelP gravatar imageMichaelP ( 2021-06-25 15:19:20 +0000 )edit
see more comments

Question Tools

subscribe to rss feed

Stats

Asked: 2021-06-24 19:06:43 +0000

Seen: 1,241 times

Last updated: Jun 25 '21