[Winpcap-users] WinPcap 4 & Cisco Spanned Ports

Steighton_Haley at McAfee.com Steighton_Haley at McAfee.com
Fri May 11 16:51:39 GMT 2007 

Sounds like a bug in the filter interpretation code (probably exists in
the base pcap libraries)... 
 
802.1Q encapsulation wraps the entire packet, so unless the filter
application is specifically built to recognize the encapsulation, the
packet will not be recognized as an IP packet, and so no IP address will
be found.  If no IP address is found, the packet doesn't match your
filter, etc.
 
SLH.

---
Steighton Haley                          shaley at mcafee.com
Software Engineer

"Why do nerds confuse Halloween and Christmas?  Because OCT31=DEC25" 

 


________________________________

	From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Keith French
	Sent: Friday, May 11, 2007 6:25 AM
	To: winpcap-users at winpcap.org
	Subject: [Winpcap-users] WinPcap 4 & Cisco Spanned Ports
	
	
	I am using Tshark supplied with Wireshark V0.10.5 and trying to
use a capture filter when a monitoring a Cisco Catalyst 2950 span port.
	 

	It is a Cisco Catalyst 2950EI running IOS version 12.1(20EA2)

	 

	I am trying to span a trunk port and look at 802.1Q VLAN
headers, but if I specify a valid capture filter of host 10.10.10.10 no
packets are captured. I have found it only affects Tshark when the
encapsulation dot1q is added to the destination interface of a monitor
session. The problem would seem to be with WinPcap (tried versions 3.1
and 4.0) as Netasyst is fine.

	 

	Let me explain in more detail:-

	 

	Interface fa0/24 on the Catalyst 2950EI is a 802.1Q trunk to
another 2950EI and interface fa0/4 is where the TShark PC is connected
to. Using this span session:-.

	 

	monitor session 1 source interface fa0/24

	monitor session 1 destination interface fa0/4

	 

	This works OK with:-

	 

	tshark -i 3

	 

	or

	 

	tshark -i 3 -f "host 10.10.10.10"

	 

	  

	If the monitor session is changed to include the encapsulation
of dot1q:-

	 

	monitor session 1 source interface fa0/24

	monitor session 1 destination interface fa0/4 encapsulation
dot1q

	 

	This works OK with:-

	 

	tshark -i 3

	 

	but no packets are captured with:-

	 

	tshark -i 3 -f "host 10.10.10.10"

	 

	With Netasyst using the same IP address as a capture filter e.g.
to include IP 10.10.10.10 to any

	 

	It captures fine with or without the encapsulation dot1q 

	 

	Any Ideas?

	 

	Keith French.

	 

	 

	 

	 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20070511/16a3f187/attachment.htm

More information about the Winpcap-users mailing list