OK, I give up--been bangin' my head against this one for awhile now. I know how it SHOULD work, but something's wrong. I am sniffing a trunk carrying double-tagged traffic on a distribution switch with massive amounts of data, so I don't have the liberty of capturing all packets and then doing a display filter. I need to capture a single IP address (using the WS GUI, not TShark), so I enter "host 1.2.3.4" without the quotes, for example. But this captures zero packets. If I capture all the traffic and then display filter it for 1.2.3.4, it appears in numerous packets, so I know the IP is correct. If I enter the MAC address associated with the IP in the capture filter: "ether host ab:cd:ef:12:34:56" it works perfectly. I read where this could possibly be due to encapsulation, so I've tried "ip and host 1.2.3.4" I have also tried "ppp and host 1.2.3.4" I have also tried "pppoe and host 1.2.3.4" I have also tried "pppoes and host 1.2.3.4" Nothing's working so far. Anyone have a suggestion? Thanks! asked 18 Feb '14, 15:42 randyp edited 19 Feb '14, 15:18 Guy Harris ♦♦ |
One Answer:
Then you need to be careful with capture filters. If you want to capture traffic to 1.2.3.4 in traffic with no tags, the correct filter is If you want to capture traffic to 1.2.3.4 in traffic with one level of VLAN tagging, the correct filter is If you want to capture traffic to 1.2.3.4 in traffic with two levels of VLAN tagging, the correct filter is (Bear in mind that answered 18 Feb '14, 16:00 Guy Harris ♦♦ What you suggested makes sense, but unfortunately, it didn't work either. I am going to try the same idea with a different NIC card that understands double-tags. I'll let you know how that works. And thanks for the response! (19 Feb '14, 07:06) randyp 1 your frames are doubled tagged, but also 'encapsulated' in PPPoE. That's the reason why the capture filter does not work, because the IP header is at a different location, if you encapsulate the frames in PPPoE. In this case the capture filter would be: (19 Feb '14, 13:57) Kurt Knochner ♦ Thanks for the help, guys, that worked! Here's what I found, though: Using a NIC card that is not capable of tagging VLANs, I had to use "vlan and pppoes and host 1.2.3.4" This would only show the inner tag of the double-tagged frame in my VLAN column. If I use a NIC card that is capable of tagging, I had to use "vlan and vlan and pppoes and host 1.2.3.4" This would show both the inner and outer tags in the two VLAN columns I have set up in WS. Thanks again! I will click the "Credit" button for you! (21 Feb '14, 09:16) randyp |
Is it possible to post a small sample capture file (just a few frames, taken without capture filter) with the double vlan tags on google drive, dropbox, cloudshark.org?
Kurt, I did a raw capture with no filters, which captured all packets on the trunk (VLAN 873:1032 only on this pipe), then display-filtered it down to a single IP so it ended up with about 300 packets. Uploaded to CloudShark as VLAN873-1032-withSingleIP. Thanks for taking a look!
The link is missing.
http://cloudshark.org/captures/54c2818338ed
--Sorry. First timer.