Ask Your Question
0

tshark filter options broken with NapaTech NIC

asked 2025-08-22 01:18:03 +0000

hebron1212 gravatar image

updated 2025-08-22 11:08:20 +0000

grahamb gravatar image

When running tshark on a NapaTech NIC, the host (and other) keywords do not work. We are using the libpcap that Napatech provides. NapaTech seems to think it's a bug in the non-Napatech libpcap files.

Versions

  • RHEL 8.10
  • libpcap 1.10.4
  • tshark 2.6.2

Using grep, the packets are there

[root@nspcapprd101 ~]# /usr/bin/tshark -i napa2 | grep 10.239.81.123
Running as user "root" and group "root". This could be dangerous.
Capturing on 'napa2'
34795 38185 0.088616101 10.239.81.123 → 10.41.177.39 UDP 66 2598 → 56164 Len=20
40795 46374 0.106482092 10.41.177.39 → 10.239.81.123 UDP 66 56164 → 2598 Len=20
106792 108290 0.283687032 10.239.81.123 → 10.41.177.39 UDP 77 2598 → 56164 Len=31

But using the host keyword, nothing is there for several minutes

[root@nspcapprd101 ~]# /usr/bin/tshark -i napa2 host 10.239.81.123
Running as user "root" and group "root". This could be dangerous.
Capturing on 'napa2'
0 packets captured

Then running with grep again to make sure packets still coming in

[root@nspcapprd101 ~]# /usr/bin/tshark -i napa2 | grep 10.239.81.123
Running as user "root" and group "root". This could be dangerous.
Capturing on 'napa2'
22800 28556 0.098213558 10.239.81.123 → 10.41.177.39 UDP 76 2598 → 56164 Len=30
28799 29634 0.101830401 10.41.177.39 → 10.239.81.123 UDP 86 56164 → 2598 Len=40
29703 0.102196547 10.239.81.123 → 10.41.177.39 UDP 66 2598 → 56164 Len=20

Host keyword works on other interfaces on server

[root@nspcapprd101 lib]# /usr/bin/tshark -i eno2 host 192.168.12.22
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eno2'
1 0.000000000 192.168.12.22 → 192.168.12.127 SNMP 154 get-request
2 0.001103924 192.168.12.22 → 192.168.12.127 SNMP 185 getBulkRequest 1.3.6.1.2.1.17.7.1.2.2.1.2.3046.232.106.100.118.61.14
3 0.057710947 192.168.12.22 → 192.168.12.127 SNMP 110 getBulkRequest
edit retag flag offensive close merge delete

Comments

You may want to take note of the warning about running as root, especially when using such an old version of tshark.

grahamb gravatar imagegrahamb ( 2025-08-22 11:09:47 +0000 )edit

Sharkfest 2009 Napatech presentation: Wireshark in a Multi-Core Environment Using Hardware Acceleration

Chuckc gravatar imageChuckc ( 2025-08-22 11:30:16 +0000 )edit

NapaTech seems to think it's a bug in the non-Napatech libpcap files.

Installing and Running libpcap Applications
Ensure the use of the Napatech libpcap library If other libpcap libraries are installed on the target platform, it is uncertain which libpcap library will be used. > There are two ways to ensure that the Napatech libpcap library is used:

  • By removing all other libpcap libraries from the system By forcing the application to use the Napatech libpcap library
Chuckc gravatar imageChuckc ( 2025-08-22 19:24:46 +0000 )edit

NapaTech seems to think it's a bug in the non-Napatech libpcap files.

Napatech seems to be saying that, if you want to capture traffic on a Napatech adapter, you should use their version of libpcap. Whether this is because of a bug in tcpdump.org libpcap (in which case Napatech should open an issue on the libpcap issue list or even a pull request with a fix on the libpcap pull request list, or it's because libpcap does not include code to do Special Magic Things on Napatech adapters, you don't get various Napatech-specific capabilities.

My guess is that it's the latter...

...unless tshark - or, rather, dumpcap - is using the Napatech version of libpcap rather than the one shipped with the OS.

What does /usr/bin/tshark --version print?

Guy Harris gravatar imageGuy Harris ( 2025-08-22 21:58:37 +0000 )edit
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2025-08-22 11:26:08 +0000

SYN-bit gravatar image

The most common reason for a L3/L4 capture filter to not work is that the packets are encapsulated at a lower level. Usually vlan tagging. What do you see without a filter when you do a tcpdump -neli <interface>?

If there are vlan tags, try the following filter -f "vlan and host 10.239.81.123".

If that does not work, it would be handy to see a very small unfiltered capture to see what might be in the way.

edit flag offensive delete link more

Comments

If there are vlan tags, then assuming you don't care about arp or rarp packets, I'd recommend using -f "vlan and ip and host 10.239.81.123" instead, as it's more efficient. And if you only care about standard VLAN, then this can be made even more efficient, albeit at the cost of a more complex capture filter, using ether[12:2] == 0x8100 and ether[16:2] == 0x0800 and (ether[30:4] == 0x0aef517b or ether[34:4] == 0x0aef517b).

Q. Why does dumpcap -d and Wireshark -> Capture Options -> Compile BPFs produce different output for the same capture filter? It's almost as if dumpcap's output is non-optimized, but if that's the case ... why is that? NOTE: bpfexam can also be used as a comparision.

cmaynard gravatar imagecmaynard ( 2025-08-22 19:06:21 +0000 )edit

And since you can have multiple "Compiled Filter Output" windows, it'd also be nice if Wireshark's "Compiled Filter Output" window title included the capture filter expression, so you could actually tell which expression the generated BPF output originated from.

cmaynard gravatar imagecmaynard ( 2025-08-22 19:17:23 +0000 )edit

Q. Why does dumpcap -d and Wireshark -> Capture Options -> Compile BPFs produce different output for the same capture filter?

The only difference I'm seeing for "vlan and ip and host 10.239.81.123" between "Dumpcap (Wireshark) 4.4.8 (v4.4.8-0-g0d289c003bfb)." when I run tcpdump -d -f "vlan and ip and host 10.239.81.123" (defaults to en0 with a link-layer type of Ethernet) and "Wireshark 4.4.8 (v4.4.8-0-g0d289c003bfb)." when I use "Compile BPFs" with en0 selected is that the dumpcap version uses a snapshot length of 512KiB and the Wireshark version uses a snapshot length of 256 KiB, so the return value on a match is different. That's definitely not what should be happening, but it's not a question of optimized vs. non-optimized.

Guy Harris gravatar imageGuy Harris ( 2025-08-22 22:32:38 +0000 )edit

(and BPFExam produces the same output as Wireshark if I set the snapshot length to 262144)

Guy Harris gravatar imageGuy Harris ( 2025-08-22 22:36:24 +0000 )edit

dumpcap version uses a snapshot length of 512KiB

Because it's running on macOS, (dynamically) linked with the macOS version of libpcap, and Apple decided to "Keep [libpcap's MAXIMUM_SNAPLEN #define] in sync with BPF_MAXBUFSIZE", so that it's 512KiB, so that's libpcap's default if the snapshot length wasn't explicitly set, and dumpcap wasn't passed a -d flag so it defaulted to libpcap's default.

I.e., on most other OSes, even that difference probably wouldn't have happened.

Guy Harris gravatar imageGuy Harris ( 2025-08-22 23:54:19 +0000 )edit
see more comments
0

answered 2025-08-22 03:19:23 +0000

cmaynard gravatar image

updated 2025-08-22 03:21:43 +0000

You need to use the -f <capture filter> option. For example:

/usr/bin/tshark -i napa2 -f "host 10.239.81.123"

For a more efficient capture filter, I'd recommend using the following instead:

/usr/bin/tshark -i napa2 -f "ip and host 10.239.81.123"

You can compare these two filters yourself using dumpcap's -d option.

Refs:

edit flag offensive delete link more

Comments

You need to use the -f <capture filter=""> option.

Nope. tshark, like tcpdump, will (at least in the case of a live capture, for tshark) combine all non-flag-argument tokens (after the last flag argument) into a string, with spaces between them, and treat that as a capture filter, so -f isn't necessary.

Guy Harris gravatar imageGuy Harris ( 2025-08-22 21:27:16 +0000 )edit

Yeah, I realized that after Sake posted his answer. I guess I'm too used to using dumpcap, where this isn't supported.

Of course, other than in the Synopsis of the tshark man page, the [ <filter> ] isn't mentioned anywhere, so it's perhaps not completely obvious that it is a capture filter or how well it plays nicely with -f <capture filter> (Hint: It doesn't). Using this trailing filter means that you can't use a default capture filter specified with a -f <capture filter> option before the first -i option, nor can you use a per-interface capture filter specified with a -f <capture filter> option after a -i option if using this trailing filter.

cmaynard gravatar imagecmaynard ( 2025-08-23 03:49:11 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-08-22 01:18:03 +0000

Seen: 109 times

Last updated: Aug 22

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark