Ask Your Question

Revision history [back]

dumpcap problem with multiple interfaces and filter

I am running Wireshark 64 bit v3.0.2 under Windows Server 2012 R2.

I believe I have run into a bug with dumpcap specifically.

My dumpcap cmd line looks like this:

dumpcap -i 3 -i 9 -f "host 172.20.1.2" -b filesize:50000 -b files:20 -w "D:\captures\172-20-1-2.pcapng"

Interfaces 3 and 9 are SPAN ports from my two Nexus 7000 core switches.

When I run this cmd as is, the filter DOES NOT work. All packets on the wires are captured. If I run this same cmd specifying only one interface (either of them), the filter works properly.

Is this a bug or a limitation of some kind?

If I were to run two separate dumpcap instances (in their own cmd shell), can I merge the two pcang files later into one, preserving the packet order?

Thanks in advance.

John

dumpcap problem with multiple interfaces and filter

I am running Wireshark 64 bit v3.0.2 under Windows Server 2012 R2.

I believe I have run into a bug with dumpcap specifically.

My dumpcap cmd line looks like this:

dumpcap -i 3 -i 9 -f "host 172.20.1.2" -b filesize:50000 -b files:20  -w "D:\captures\172-20-1-2.pcapng"

"D:\captures\172-20-1-2.pcapng"

Interfaces 3 and 9 are SPAN ports from my two Nexus 7000 core switches.

When I run this cmd as is, the filter DOES NOT work. All packets on the wires are captured. If I run this same cmd specifying only one interface (either of them), the filter works properly.

Is this a bug or a limitation of some kind?

If I were to run two separate dumpcap instances (in their own cmd shell), can I merge the two pcang files later into one, preserving the packet order?

Thanks in advance.

John

dumpcap problem with multiple interfaces and filter

I am running Wireshark 64 bit v3.0.2 under Windows Server 2012 R2.

I believe I have run into a bug with dumpcap specifically.

My dumpcap cmd line looks like this:

dumpcap -i 3 -i 9 -f "host 172.20.1.2" -b filesize:50000 -b files:20  -w "D:\captures\172-20-1-2.pcapng"

Interfaces 3 and 9 are SPAN ports from my two Nexus 7000 core switches.

When I run this cmd as is, the filter DOES NOT work. All packets on the wires are captured. If I run this same cmd specifying only one interface (either of them), the filter works properly.

Is this a bug or a limitation of some kind?

If I were to run two separate dumpcap instances (in their own cmd shell), can I merge the two pcang pcapng files later into one, preserving the packet order?

Thanks in advance.

John