[Winpcap-users] WinPcap 4 & Cisco Spanned Ports
Gianluca Varenni
gianluca.varenni at cacetech.com
Fri May 11 17:35:32 GMT 2007
You need to write a filter like "vlan and ip host 1.2.3.4". This is by design, it's how vlan filtering works in libpcap/WinPcap.
There was a thread related to this in the wireshark-users mailing list, here's a link to it
http://www.wireshark.org/lists/wireshark-users/200705/msg00004.html
Have a nice day
GV
----- Original Message -----
From: Steighton_Haley at mcafee.com
To: winpcap-users at winpcap.org
Sent: Friday, May 11, 2007 9:51 AM
Subject: RE: [Winpcap-users] WinPcap 4 & Cisco Spanned Ports
Sounds like a bug in the filter interpretation code (probably exists in the base pcap libraries)...
802.1Q encapsulation wraps the entire packet, so unless the filter application is specifically built to recognize the encapsulation, the packet will not be recognized as an IP packet, and so no IP address will be found. If no IP address is found, the packet doesn't match your filter, etc.
SLH.
---
Steighton Haley shaley at mcafee.com
Software Engineer
"Why do nerds confuse Halloween and Christmas? Because OCT31=DEC25"
----------------------------------------------------------------------------
From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Keith French
Sent: Friday, May 11, 2007 6:25 AM
To: winpcap-users at winpcap.org
Subject: [Winpcap-users] WinPcap 4 & Cisco Spanned Ports
I am using Tshark supplied with Wireshark V0.10.5 and trying to use a capture filter when a monitoring a Cisco Catalyst 2950 span port.
It is a Cisco Catalyst 2950EI running IOS version 12.1(20EA2)
I am trying to span a trunk port and look at 802.1Q VLAN headers, but if I specify a valid capture filter of host 10.10.10.10 no packets are captured. I have found it only affects Tshark when the encapsulation dot1q is added to the destination interface of a monitor session. The problem would seem to be with WinPcap (tried versions 3.1 and 4.0) as Netasyst is fine.
Let me explain in more detail:-
Interface fa0/24 on the Catalyst 2950EI is a 802.1Q trunk to another 2950EI and interface fa0/4 is where the TShark PC is connected to. Using this span session:-.
monitor session 1 source interface fa0/24
monitor session 1 destination interface fa0/4
This works OK with:-
tshark -i 3
or
tshark -i 3 -f "host 10.10.10.10"
If the monitor session is changed to include the encapsulation of dot1q:-
monitor session 1 source interface fa0/24
monitor session 1 destination interface fa0/4 encapsulation dot1q
This works OK with:-
tshark -i 3
but no packets are captured with:-
tshark -i 3 -f "host 10.10.10.10"
With Netasyst using the same IP address as a capture filter e.g. to include IP 10.10.10.10 to any
It captures fine with or without the encapsulation dot1q
Any Ideas?
Keith French.
------------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20070511/8da9b78c/attachment-0001.htm
More information about the Winpcap-users
mailing list