[Winpcap-users] WinPcap filtering

Christopher Maynard Christopher.Maynard at gtech.com
Tue Feb 7 11:12:06 PST 2012


WeiJie Royce <penril_3 at ...> writes:

> I tried to filter ip host 172.16.164.221 in my winpcap application which is
running in a virtual machine but it doesn't capture the traffic from host
172.16.164.221 why is it so? When i try and do so using wireshark, it is able to
capture traffic from 172.16.164.221 with is another virtual machine host. I've
already set promiscuous mode on the VLAN Group and this works fine using
wireshark. I'm wondering if i'm using the filtering expression in the right
manner. In wireshark, i key in ip.addr==172.16.164.221 and i manage to get
traffic that is related to that. using my own application that is created using
WinPcap doesn't allow me to capture traffic outside of my own. Please help!

"ip.addr==172.16.164.221" is a display filter, not a capture filter, so if you
have no capture filter set in Wireshark, that display filter will find your
packets of interest.

But, if you only want to capture packets to that host, you will need to set the
appropriate capture filter and because your Ethernet frames are vlan-tagged, "ip
host 172.16.164.221" isn't it.  In this case, you will need, at a minimum, a
capture filter such as, "vlan and host 172.16.164.221".

See also:
http://www.manpagez.com/man/7/pcap-filter/
http://wiki.wireshark.org/CaptureFilters
http://wiki.wireshark.org/VLAN
http://wiki.wireshark.org/CaptureSetup/VLAN

- Chris




More information about the Winpcap-users mailing list