[Winpcap-users] WinPcap 4 & Cisco Spanned Ports
Keith French
keithfrench at btconnect.com
Fri May 11 13:24:36 GMT 2007
I am using Tshark supplied with Wireshark V0.10.5 and trying to use a capture filter when a monitoring a Cisco Catalyst 2950 span port.
It is a Cisco Catalyst 2950EI running IOS version 12.1(20EA2)
I am trying to span a trunk port and look at 802.1Q VLAN headers, but if I specify a valid capture filter of host 10.10.10.10 no packets are captured. I have found it only affects Tshark when the encapsulation dot1q is added to the destination interface of a monitor session. The problem would seem to be with WinPcap (tried versions 3.1 and 4.0) as Netasyst is fine.
Let me explain in more detail:-
Interface fa0/24 on the Catalyst 2950EI is a 802.1Q trunk to another 2950EI and interface fa0/4 is where the TShark PC is connected to. Using this span session:-.
monitor session 1 source interface fa0/24
monitor session 1 destination interface fa0/4
This works OK with:-
tshark -i 3
or
tshark -i 3 -f "host 10.10.10.10"
If the monitor session is changed to include the encapsulation of dot1q:-
monitor session 1 source interface fa0/24
monitor session 1 destination interface fa0/4 encapsulation dot1q
This works OK with:-
tshark -i 3
but no packets are captured with:-
tshark -i 3 -f "host 10.10.10.10"
With Netasyst using the same IP address as a capture filter e.g. to include IP 10.10.10.10 to any
It captures fine with or without the encapsulation dot1q
Any Ideas?
Keith French.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20070511/98802c45/attachment.htm
More information about the Winpcap-users
mailing list