This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can capture filters capture both Tx and Rx traffic?

0

Hey all,

I'm trying to filter capture traffic. I want to see all LPD traffic to/from a particular printer. However, regardless of whether I use "host 1.2.3.4" or "tcp port 515", Wireshark captures only traffic originating from the printer; it doesn't capture traffic from the other side of the TCP connection.

When I capture with no capture filters, both Tx and Rx are captured.

I'm running v1.10.6 on Mac OS 10.9.2.

Thanks!

asked 17 Apr '14, 23:57

noamb's gravatar image

noamb
1111
accept rate: 0%

does your capturing system (or possibly the printer) use VLAN tagged traffic? In other words: Do you see vlan tags in the 'printer frames' while you capture without capture filter?

(19 Apr '14, 16:11) Kurt Knochner ♦

Thanks Kurt, nope, there are no VLANs on this network.

Update: I tried these same captures using tcpdump instead of the Wireshark GUI.

tcpdump -i en0 host 1.2.3.4
tcpdump -i en0 tcp port 515

... both capture ONLY traffic originating from the printer. But

tcpdump -i en0

with no filters captures everything. Too much, though!

Help?

(21 Apr '14, 14:35) noamb

Given that the same code path is used by Wireshark/dumpcap and by tcpdump when capturing traffic, it's not at all surprising that they give the same results.

If you capture without a capture filter (if you're using tcpdump, save the capture to a pcap file, using the -w flag), and then look at the capture in Wireshark and apply a display filter of tcp.port == 515, what do you see?

(21 Apr '14, 15:15) Guy Harris ♦♦

Thanks Guy. Capturing without a filter and then using a display filter does show that bidirectional traffic was captured. However, that's too much traffic for me to capture and then filter.

(21 Apr '14, 15:45) noamb

OK, so, when you capture without a filter and then use a display filter:

  • do the packets going to the printer have the destination IP address of the printer (the one you replaced with "1.2.3.4" in your example)?
  • do the packets going to the printer have a TCP destination port number of 515?
  • do the packets going to the printer have an Ethernet type of 0x0800?
(21 Apr '14, 15:49) Guy Harris ♦♦

Guy,

WHOOPS.

<sheepish>

Packets TO the printer:

Ethertype = 0x8100 (VLAN)

with VLAN ID 1. The packets FROM the printer are

Ethertype = 0x0800 (IP)

I don't get it, though -- how can I capture all the traffic despite this situation?

Crawling back to my hole now.

:)

(21 Apr '14, 16:28) noamb

Thanks Kurt, nope, there are no VLANs on this network.

well... ;-)

(21 Apr '14, 16:43) Kurt Knochner ♦

Right Kurt, I stand 110% corrected. Thank you.

(21 Apr '14, 17:00) noamb
showing 5 of 8 show 3 more comments

One Answer:

0

"How can I capture all the traffic" meaning "why am I seeing all the traffic with no filter" or "how can I use a filter and still see all the traffic"?

The answer to the first question is "there's no filter, so it just gives you the packets without testing them, so the VLAN headers don't matter."

The answer to the second question is "host 1.2.3.4 or (vlan and host 1.2.3.4)" or "tcp port 515 or (vlan and tcp port 515)".

answered 21 Apr '14, 16:32

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%