Ask Your Question
0

Capture filter not capturing anything

asked 2021-09-11 09:11:06 +0000

Jedi gravatar image

I am running Ubuntu 20.04.

I am capturing using a network tap on a computer that has a separate NIC not configured with an IP address.

When I run a capture using 'host xxx.xxx.xxx.xxx' as a capture filter it does not capture anything even though I know there is traffic to that address. I am assuming this is because there is no traffic destined to or sourced from the NIC I am capturing on?

Is there a capture filter available that could capture traffic to and from a particular IP address in this scenario?

edit retag flag offensive close merge delete

Comments

When I run a capture using 'host xxx.xxx.xxx.xxx' as a capture filter it does not capture anything even though I know there is traffic to that address. I am assuming this is because there is no traffic destined to or sourced from the NIC I am capturing on?

Do you see traffic to or from that address if you don't use a capture filter? If not, then, yes, there's probably no traffic to or from that address being sent from that NIC, and either:

or

  • the NIC is in promiscuous mode and is seeing all the traffic on your network segment, and there's no traffic ...
(more)
Guy Harris gravatar imageGuy Harris ( 2021-09-11 09:52:23 +0000 )edit

Yes I see lots of traffic to and from this particular address when using no capture filter?

Jedi gravatar imageJedi ( 2021-09-11 10:00:50 +0000 )edit

The address in question when there is no capture filter is in this format:

xxx.xxx.xxx.xxx.dsl.dyn.ihug.co.nz

Jedi gravatar imageJedi ( 2021-09-11 10:04:55 +0000 )edit

Even if I do a capture filter of 'ip' it doesn't capture anything.

Jedi gravatar imageJedi ( 2021-09-11 10:25:27 +0000 )edit

"xxx.xxx.xxx.xxx.dsl.dyn.ihug.co.nz" is not an address but a DNS name. Turn off network address resolving to see the IP address (or look in the packet details pane or use nslookup, etc.). More about capture filters can be found here: https://gitlab.com/wireshark/wireshar...

André gravatar imageAndré ( 2021-09-11 10:42:19 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2021-09-12 09:38:27 +0000

SYN-bit gravatar image

updated 2021-09-12 12:20:40 +0000

If I understand you correctly, you place a network TAP between a system and the switch/router it was connected to and connected a second system to the monitor port of the TAP to see the packets. This means all traffic between the monitored system and the switch/router should be visible on the monitoring system. The fact that you see the traffic when not using a filter seems to confirm this assumption.

So you also see the packets for IP x.x.x.x when not using a filter, but you don't see them when using the BPF filter host x.x.x.x. This means that the filter needs some adjustment. Usually when this happens, the traffic is encapsulated. The host x.x.x.x filter looks at offset 26 or offset 30 in the packet for the IP address.

When vlan tagging is used, there are 4 additional bytes between the ethernet header and the IP header. This means the BPF filter needs to know that there is a vlan tag present to change the offsets accordingly. You can do this with the filter vlan and host x.x.x.x.

Another option is that the traffic is PPPoE encapsulated, this means there is a PPPoE header and you can adjust the filter to pppoes and host x.x.x.x.

If you capture without a filter, you can then look at all the headers to see if there was any encalsulation and then change your capture filter accordingly.

edit flag offensive delete link more

Comments

Wow, you cracked it. The traffic is PPPoE. The correct filter is pppoes and yes it worked. I didn't think this problem had a solution. I am very impressed.

Jedi gravatar imageJedi ( 2021-09-12 10:38:24 +0000 )edit

Good to hear I was on the right track! Thanks for pointing out my typo, I corrected it :-)

SYN-bit gravatar imageSYN-bit ( 2021-09-12 12:21:39 +0000 )edit

(Buried in the comments on the original question above)
Jedi: "problem only occurs if I have the network tap positioned between the wall and the router."
Guy: "So what signal is coming out of the wall? "
Jedi: "I have fibre."
The other end of "the wall" is a fibre to ethernet device such as a ONT.

Chuckc gravatar imageChuckc ( 2021-09-13 15:34:37 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-09-11 09:11:06 +0000

Seen: 113 times

Last updated: Sep 12