[Winpcap-users] WinPcap 4 & Cisco Spanned Ports

Gianluca Varenni gianluca.varenni at cacetech.com
Fri May 11 17:35:32 GMT 2007

You need to write a filter like "vlan and ip host". This is by design, it's how vlan filtering works in libpcap/WinPcap.

There was a thread related to this in the wireshark-users mailing list, here's a link to it


Have a nice day

  ----- Original Message ----- 
  From: Steighton_Haley at mcafee.com 
  To: winpcap-users at winpcap.org 
  Sent: Friday, May 11, 2007 9:51 AM
  Subject: RE: [Winpcap-users] WinPcap 4 & Cisco Spanned Ports

  Sounds like a bug in the filter interpretation code (probably exists in the base pcap libraries)... 

  802.1Q encapsulation wraps the entire packet, so unless the filter application is specifically built to recognize the encapsulation, the packet will not be recognized as an IP packet, and so no IP address will be found.  If no IP address is found, the packet doesn't match your filter, etc.

  Steighton Haley                          shaley at mcafee.com
  Software Engineer

  "Why do nerds confuse Halloween and Christmas?  Because OCT31=DEC25" 

    From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Keith French
    Sent: Friday, May 11, 2007 6:25 AM
    To: winpcap-users at winpcap.org
    Subject: [Winpcap-users] WinPcap 4 & Cisco Spanned Ports

    I am using Tshark supplied with Wireshark V0.10.5 and trying to use a capture filter when a monitoring a Cisco Catalyst 2950 span port.

    It is a Cisco Catalyst 2950EI running IOS version 12.1(20EA2)


    I am trying to span a trunk port and look at 802.1Q VLAN headers, but if I specify a valid capture filter of host no packets are captured. I have found it only affects Tshark when the encapsulation dot1q is added to the destination interface of a monitor session. The problem would seem to be with WinPcap (tried versions 3.1 and 4.0) as Netasyst is fine.

    Let me explain in more detail:-

    Interface fa0/24 on the Catalyst 2950EI is a 802.1Q trunk to another 2950EI and interface fa0/4 is where the TShark PC is connected to. Using this span session:-.


    monitor session 1 source interface fa0/24

    monitor session 1 destination interface fa0/4


    This works OK with:-


    tshark -i 3




    tshark -i 3 -f "host"



    If the monitor session is changed to include the encapsulation of dot1q:-


    monitor session 1 source interface fa0/24

    monitor session 1 destination interface fa0/4 encapsulation dot1q


    This works OK with:-


    tshark -i 3


    but no packets are captured with:-


    tshark -i 3 -f "host"


    With Netasyst using the same IP address as a capture filter e.g. to include IP to any


    It captures fine with or without the encapsulation dot1q 

    Any Ideas?

    Keith French.






  Winpcap-users mailing list
  Winpcap-users at winpcap.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20070511/8da9b78c/attachment-0001.htm

More information about the Winpcap-users mailing list