If I understand you correctly, you place a network TAP between a system and the switch/router it was connected to and connected a second system to the monitor port of the TAP to see the packets. This means all traffic between the monitored system and the switch/router should be visible on the monitoring system. The fact that you see the traffic when not using a filter seems to confirm this assumption.
So you also see the packets for IP x.x.x.x when not using a filter, but you don't see them when using the BPF filter host x.x.x.x
. This means that the filter needs some adjustment. Usually when this happens, the traffic is encapsulated. The host x.x.x.x
filter looks at offset 26 or offset 30 in the packet for the IP address.
When vlan tagging is used, there are 4 additional bytes between the ethernet header and the IP header. This means the BPF filter needs to know that there is a vlan tag present to change the offsets accordingly. You can do this with the filter vlan and host x.x.x.x
.
Another option is that the traffic is PPPoE encapsulated, this means there is a PPPoE header and you can adjust the filter to pppoes and host x.x.x.x
.
If you capture without a filter, you can then look at all the headers to see if there was any encalsulation and then change your capture filter accordingly.
Do you see traffic to or from that address if you don't use a capture filter? If not, then, yes, there's probably no traffic to or from that address being sent from that NIC, and either:
or
- the NIC is in promiscuous mode and is seeing all the traffic on your network segment, and there's no traffic ...
(more)Yes I see lots of traffic to and from this particular address when using no capture filter?
The address in question when there is no capture filter is in this format:
xxx.xxx.xxx.xxx.dsl.dyn.ihug.co.nz
Even if I do a capture filter of 'ip' it doesn't capture anything.
"xxx.xxx.xxx.xxx.dsl.dyn.ihug.co.nz" is not an address but a DNS name. Turn off network address resolving to see the IP address (or look in the packet details pane or use nslookup, etc.). More about capture filters can be found here: https://gitlab.com/wireshark/wireshar...