This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Syslog and ICMP

0

What is the capture filter for getting both Syslog and ICMP Captures?

asked 24 May '17, 09:51

praveen453's gravatar image

praveen453
6113
accept rate: 0%


One Answer:

0

Assuming that Syslog is transported over UDP port 514:

udp port 514 or icmp

answered 24 May '17, 13:47

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

No, I tried above command before but it is giving only syslog capture but not both as the function is "or", i used below command udp dst port 514 or icmp

(24 May '17, 23:10) praveen453

Well, this is the BPF (for Ethernet) if you're interested:

(000) ldh      [12]
(001) jeq      #0x86dd          jt 2    jf 6
(002) ldb      [20]
(003) jeq      #0x11            jt 4    jf 16
(004) ldh      [56]
(005) jeq      #0x202           jt 15   jf 16
(006) jeq      #0x800           jt 7    jf 16
(007) ldb      [23]
(008) jeq      #0x11            jt 9    jf 14
(009) ldh      [20]
(010) jset     #0x1fff          jt 16   jf 11
(011) ldxb     4*([14]&0xf)
(012) ldh      [x + 16]
(013) jeq      #0x202           jt 15   jf 16
(014) jeq      #0x1             jt 15   jf 16
(015) ret      #262144
(016) ret      #0

Maybe, when looking at the frame, you can figure out why it's not working for you. If VLAN is involved prefix the filter with the vlan keyword.

(25 May '17, 07:56) Jaap ♦