I'm trying to capture RTP traffic from one of my IP phones. When I run wireshark on the server connected to a span port I can easily see the RTP traffic. Unfortunately when I use capture filter like this:
where the given IP is the address of my IP phone it doesn't display RTP traffic at all (just some ARP traffic). Actually when I use any capture filter at all (even just "udp") it cuts almost all traffic.
I know wireshark itself is ok because when I connect my laptop with the same version of wireshark to the same span port - it works just fine.
Is possible that there's some other driver on the server that is conflicting with the pcap driver installed with wireshark?
asked 07 Mar '12, 00:15
Most likely, your server does not strip the vlan tags from the frames (while your laptop does). This means you need to change the capture filter to:
to capture all traffic to and from host 192.168.9.4.
You can check whether there are vlan tags in your packets by capturing without a filter and then look at the ethernet details is there is a vlan tag present.
answered 07 Mar '12, 02:55