<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:o = "urn:schemas-microsoft-com:office:office"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16441" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>You need to write a filter like "vlan and ip host 1.2.3.4".
This is by design, it's how vlan filtering works in
libpcap/WinPcap.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>There was a thread related to this in the wireshark-users
mailing list, here's a link to it</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2><A
href="http://www.wireshark.org/lists/wireshark-users/200705/msg00004.html">http://www.wireshark.org/lists/wireshark-users/200705/msg00004.html</A></FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Have a nice day</FONT></DIV>
<DIV><FONT size=2>GV</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Steighton_Haley@mcafee.com
href="mailto:Steighton_Haley@mcafee.com">Steighton_Haley@mcafee.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, May 11, 2007 9:51 AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [Winpcap-users] WinPcap 4
& Cisco Spanned Ports</DIV>
<DIV><BR></DIV>
<DIV dir=ltr align=left><SPAN class=154554616-11052007><FONT face=Arial
color=#800080 size=2>Sounds like a bug in the filter interpretation code
(probably exists in the base pcap libraries)... </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=154554616-11052007><FONT face=Arial
color=#800080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=154554616-11052007><FONT face=Arial
color=#800080 size=2>802.1Q encapsulation wraps the entire packet, so unless
the filter application is specifically built to recognize the encapsulation,
the packet will not be recognized as an IP packet, and so no IP address will
be found. If no IP address is found, the packet doesn't match your
filter, etc.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#800080 size=2></FONT> </DIV>
<DIV><SPAN class=154554616-11052007><FONT face=Arial color=#800080
size=2>SLH.</FONT></SPAN></DIV><!-- Converted from text/plain format -->
<P><FONT size=2>---<BR>Steighton
Haley
shaley@mcafee.com<BR>Software Engineer<BR><BR>"Why do nerds confuse Halloween
and Christmas? Because OCT31=DEC25"</FONT> </P>
<DIV> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #800080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> winpcap-users-bounces@winpcap.org
[mailto:winpcap-users-bounces@winpcap.org] <B>On Behalf Of </B>Keith
French<BR><B>Sent:</B> Friday, May 11, 2007 6:25 AM<BR><B>To:</B>
winpcap-users@winpcap.org<BR><B>Subject:</B> [Winpcap-users] WinPcap 4 &
Cisco Spanned Ports<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT face=Arial size=2>I am using Tshark supplied
with Wireshark V0.10.5 and trying to use a capture filter when a
monitoring a Cisco Catalyst 2950 span port.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">It is a Cisco Catalyst 2950EI
running IOS version 12.1(20EA2)</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">I am trying to span a trunk
port and look at 802.1Q VLAN headers, but if I specify a valid capture
filter of host 10.10.10.10 no packets are captured. I have found it only
affects Tshark when the encapsulation dot1q is added to the destination
interface of a monitor session. The problem would seem to be with WinPcap
(tried versions 3.1 and 4.0) as Netasyst is fine.</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">Let me explain in more
detail:-</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">Interface fa0/24 on the
Catalyst 2950EI is a 802.1Q trunk to another 2950EI and interface fa0/4
is where the TShark PC is connected to. Using this span session:-.</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">monitor session 1 source
interface fa0/24</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">monitor session 1 destination
interface fa0/4</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">This works OK with:-</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">tshark -i 3</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">or</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">tshark -i 3 -f "host
10.10.10.10"</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">If the monitor session is
changed to include the encapsulation of dot1q:-</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">monitor session 1 source
interface fa0/24</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">monitor session 1 destination
interface fa0/4 encapsulation dot1q</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">This works OK with:-</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">tshark -i 3</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">but no packets are captured
with:-</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">tshark -i 3 -f "host
10.10.10.10"</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">With Netasyst using the same
IP address as a capture filter e.g. to include IP 10.10.10.10 to any</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">It captures fine with or
without the encapsulation dot1q </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face=Arial size=2>Any
Ideas?</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face=Arial
size=2></FONT> </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face=Arial size=2>Keith
French.</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal
style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P></DIV></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>