For Tshark and tcpdump don't forget to put quotes around any expressions that use the ampersand (&). These filters are equally applicable to Wireshark, Tshark and tcpdump so they may be useful even when forced to capture using some really obscure UNIX box. Mpls 131066 & mpls 131068 & vlan 200 & pppoes & ip proto 2įor a long time I was using makeshift capture filters along the lines of " ether = 2" to match pertinent bytes in the packet (see my next blog post for info on that) however you will probably agree this is much simpler. To show all the IGMP passing over a particular MPLS pseudowire with VLAN ID 200, you could use: Here are some examples of capture filters you can use in Wireshark: Filters: Description: host 192.168.1.2: All traffic associated with 192.168.1. If you know the VLAN IDs (or MPLS labels) in use, you can narrow the selection based on those. These are very flexible - for example if you are capturing QinQ traffic, you could match all the SMTP packets using: Mpls - matches a single MPLS label, the number of which may optionally be specified by the user Vlan - matches a single VLAN tag, the ID of which may optionally be specified by the user All of the following adjust the offsets for you each time they are used: Luckily there are filter keywords to handle that situation. With plain old untagged Ethernet frames the filters work fine, however as soon as you add 802.1Q tags, PPP or MPLS suddenly all the offsets are no longer valid and anything you match will be purely coincidental. Unlike the hierarchical and detailed display filters, capture filters have to be really fast - that basically means using bit masks and comparing values at fixed offsets. I would regularly set up a capture filter only to find that no packets at all were saved - that's a real pain if you want to pull a few easily described packets out of a 50 Mbps stream across a period of 20 minutes.Īfter a while I realised that my problem was related to encapsulation. One of the most annoying things I found when I started working on carrier networks was that while Wireshark's display filters worked perfectly, the capture filters frequently did not.
0 Comments
Leave a Reply. |