Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-11-13 21:43:20 +0000

itangir gravatar image

Capture Filters - What am I doing wrong?

Guys, I know I'm not the sharpest tool in the crayon box but capture filters are really hanging me up from some constructive monitoring. I have a port mirror setup on a Procurve uplink port going into yonder Wireshark computer. Things seem to work fine up until I try to use capture filters.

Here are a few examples:

Capture filter: vlan 70 or vlan 90
Expected behavior: Show only frames with VLAN ID matching either 70 or 90
Actual behavior: Only VLAN 70 frames are captured
Sanity check: Not using a capture filter and then using a display filter shows both

Capture filter: icmp
Expected behavior: Show pings, replies, and other ICMP traffic
Actual behavior: Ping requests are shown but replies are not
Sanity check: Not using a capture shows both requests and replies

Capture filter: not ip
Expected behavior: Give me only ARP, STP, and other L2 stuff
Actual behavior: TCP and UDP as far as the eye can see
Sanity check: Am insane

Hope someone can elucidate some of the troubles I'm having with getting some desired captures.

Capture Filters - What am I doing wrong?

Guys, I know I'm not the sharpest tool in the crayon box but capture filters are really hanging me up from some constructive monitoring. I have a port mirror setup on a Procurve uplink port going into yonder Windows 10 Wireshark computer. Things seem to work fine up until I try to use capture filters.

Here are a few examples:

Capture filter: vlan 70 or vlan 90
Expected behavior: Show only frames with VLAN ID matching either 70 or 90
Actual behavior: Only VLAN 70 frames are captured
Sanity check: Not using a capture filter and then using a display filter shows both

Capture filter: icmp
Expected behavior: Show pings, replies, and other ICMP traffic
Actual behavior: Ping requests are shown but replies are not
Sanity check: Not using a capture shows both requests and replies

Capture filter: not ip
Expected behavior: Give me only ARP, STP, and other L2 stuff
Actual behavior: TCP and UDP as far as the eye can see
Sanity check: Am insane

Hope someone can elucidate some of the troubles I'm having with getting some desired captures.

Edit: Also, I have the latest Wireshark and winPcap versions.

Capture Filters - What am I doing wrong?

Guys, I know I'm not the sharpest tool in the crayon box but capture filters are really hanging me up from some constructive monitoring. I have a port mirror setup on a Procurve uplink port going into yonder Windows 10 Wireshark computer. Things seem to work fine up until I try to use capture filters.

Here are a few examples:

Capture filter: vlan 70 or vlan 90
Expected behavior: Show Capture only frames with VLAN ID matching either 70 or 90
Actual behavior: Only VLAN 70 frames are captured
Sanity check: Not using a capture Captured without a filter and then using verified with a display filter shows boththat both can be captured, filtered

Capture filter: icmp
Expected behavior: Show pings, replies, and other ICMP traffic
Actual behavior: Ping requests are shown captured but replies are not
Sanity check: Not using a capture shows Capturing without a filter yields both requests and replies

Capture filter: not ip
Expected behavior: Give me Capture only ARP, STP, and other L2 stuff
Actual behavior: TCP and UDP as far as the eye can see
Sanity check: Am insane

Hope someone can elucidate some of the troubles I'm having with getting some desired captures.

Edit: Also, I have the latest Wireshark and winPcap versions.versions. Edit2: Replaced "show(n)" with "capture(d)" where appropriate to be less confusing

Capture Filters - What am I doing wrong?

Guys, I know I'm not the sharpest tool in the crayon box but capture filters are really hanging me up from some constructive monitoring. I have a port mirror setup on a Procurve uplink port going into yonder Windows 10 Wireshark computer. Things seem to work fine up until I try to use capture filters.

Here are a few examples:

Capture filter: vlan 70 or vlan 90
Expected behavior: Capture only frames with VLAN ID matching either 70 or 90
Actual behavior: Only VLAN 70 frames are captured
Sanity check: Captured without a filter and verified with a display filter that both can be captured, filtered

Capture filter: icmp
Expected behavior: Show pings, replies, and other ICMP traffic
Actual behavior: Ping requests are captured but replies are not
Sanity check: Capturing without a filter yields both requests and replies

Capture filter: not ip
Expected behavior: Capture only ARP, STP, and other L2 stuff
Actual behavior: TCP and UDP as far as the eye can see
Sanity check: Am insane

Hope someone can elucidate some of the troubles I'm having with getting some desired captures.

Edit: Edit1: Also, I have the latest Wireshark and winPcap versions. versions.
Edit2: Replaced "show(n)" with "capture(d)" where appropriate to be less confusingconfusing
Edit3: All traffic I'm trying to monitor is IPv4 and VLANs.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2