![]() ![]() ![]() If you want to capture all ICMP traffic, whether the ICMP traffic is VLAN-tagged or not, then you should be able to use a filter such as "icmp or (vlan and icmp)" Here's the sample BPF code: dumpcap -i eth0 -d -f "icmp or (vlan and icmp)" ![]() You can verify the resulting BPF code using dumpcap's -d option, for example: dumpcap -i eth0 -d -f "ether proto 0x8100 and (((ether & 0x0fff) = 70) or ((ether & 0x0fff) = 90))" Hope someone can elucidate some of the troubles I'm having with getting some desired captures.Įdit1: Also, I have the latest Wireshark and winPcap versions.Įdit2: Replaced "show(n)" with "capture(d)" where appropriate to be less confusingĮdit3: All traffic I'm trying to monitor is IPv4 and VLANs.įor capturing multiple vlans, you can use a capture filter such as this: ether proto 0x8100 and (((ether & 0x0fff) = 70) or ((ether & 0x0fff) = 90)) Sanity check: Capturing without a filter yields both requests and repliesĮxpected behavior: Capture only ARP, STP, and other L2 stuffĪctual behavior: TCP and UDP as far as the eye can see Sanity check: Captured without a filter and verified with a display filter that both can be captured, filteredĮxpected behavior: Show pings, replies, and other ICMP trafficĪctual behavior: Ping requests are captured but replies are not Things seem to work fine up until I try to use capture filters.Įxpected behavior: Capture only frames with VLAN ID matching either 70 or 90Īctual behavior: Only VLAN 70 frames are captured I have a port mirror setup on a Procurve uplink port going into yonder Windows 10 Wireshark computer. 5.Guys, I know I'm not the sharpest tool in the crayon box but capture filters are really hanging me up from some constructive monitoring. Now, we see only the ICMP Echo Request in the output. We can also display only ICMP Echo Requests using icmp=icmp-echo as the filter expression: $ tcpdump -n -i any icmp=icmp-echo Now, let’s ping the local host once more from another terminal: $ ping –c 1 10.0.2.15Ħ4 bytes from 10.0.2.15: icmp_seq=1 ttl=64 time=0.037 ms The -i option of tcpdump specifies the network interface to listen to. The -n option is for displaying IP addresses instead of hostnames. Tcpdump begins waiting for capturing ping packets. Listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes Tcpdump: verbose output suppressed, use -v… for full protocol decode Now, there is only the ICMP Echo Request in the output. We specify the capture filter using the -f option in this case: $ sudo tshark -i any -f icmp -Y icmp.type=8 We can use the -Y option of tshark to specify a display filter. Therefore, we successfully used tshark to detect who pinged our host. The first packet captured is the ICMP Echo Request we sent from the other terminal. The -i option of tshark specifies the network interface to listen to. Now, let’s ping our host from another terminal: $ ping –c 1 10.0.2.15 Tshark begins waiting to capture ICMP packets. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |