This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture filter problems: v 1.2.9 on Windows XP WiFi

0

PC 'A' is an old XP machine monitoring my internal WiFi network and helping debug what PC 'B' is doing (Wireshark 1.6.2 on Ubuntu 11.10).

Both Wiresharks are in promiscuous capture.

I want to see UDP packets on a specific port directed at PC B, plus an ICMP packet that B sends in response, AND any packets that B sends prior to the received UDP packet (to track down a Firewall problem).

Using Wireshark on PC B I 'know what to expect' for most of the time (ie once Wireshark is started, just missing the initial boot etc); which is how I know there are things 'missing' from the trace on PC A.

If I use (on PC A) the capture filter 'ip proto 1 or ip proto 17' I see MOST (but not all) of the incoming UDP and outgoing ICMP.

If I add 'or (ether host ab:cd:ef:gh:ij:kl and not ether proto 0x0806)' to the capture filter string, I do not see the incoming UDP anymore (looks like I see only packets sent by the specified host).

If, instead, I add 'or dst net 224.0.0.0' then I see most of the incoming UDP, & corresponding ICMP, and any IP multi-cast traffic that is sent....but I am missing (by design) any other traffic sent by PC A.

I saw in the forum a post re special form of display filter (on source IP) needed when traffic is captured from a WiFi interface... ? is there an equivalent that is needed to get the capture filter to work as desired on WiFi?

OR is my capture filter design/syntax OK, and the missing packets due to bad WiFi, incapable old hardware etc etc ??

OR is this a known bug/issue with such an old version of Wireshark ? (I looked at upgrade a while back and think I concluded 'not possible without OS upgrade..)

thanks in advance,,,

asked 15 Jun '13, 17:03

charlieS's gravatar image

charlieS
1222
accept rate: 0%