First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

No packet with capture filter [closed]

  • retag add tags

Hello community,

I want to capture traffic to internet with capture filter. For that I use a VLAN on a cisco switch with port mirror to the vlan, existing of only two ports. One port for ethernet output of a dsl-modem, one port to ethernet inferface o the internet router. When I start capturing I see all packets an can set a display filter which works. Stopping capturing and setting a capture filter, like port 5050, no more packet are captured. No tested capture filter will work.
What is wrong? Thanks for any help

Michael

MichaelP's avatar
1
MichaelP
asked 2021-06-24 19:06:43 +0000
edit flag offensive 0 remove flag reopen merge delete

Closed for the following reason "the question is answered, right answer was accepted" by MichaelP 2021-07-04 14:51:57 +0000

Comments

Are you setting the capture filter on the Welcome Screen ?
If so, select the interface to capture on then enter the capture filter.

Chuckc's avatar Chuckc (2021-06-24 19:10:32 +0000) edit
more
  • delete

Hello Chuckc thanks for answer. I tried two ways First at wireshark start - selecting interface setting capture filter. Second way: at running wireshark - Option Capture - stopping capture - setting option with new filter, example port 5060 - restart capture. no packets in any way. Michael

MichaelP's avatar MichaelP (2021-06-24 19:18:11 +0000) edit
more
  • delete

Is there a VLAN header on the packets?
For testing, does a capture filter of vlan work?
What about vlan and port 5050 or vlan and port 5060 ?

Chuckc's avatar Chuckc (2021-06-24 19:38:41 +0000) edit
more
  • delete

Hello Chuckc, same problem. The port on cisco switch are on vlan 3 as operational vlan. cisco mirror port shows traffic von vlan 3 Filter vlan dosen't work. Filter vlan 3 dosen't work Filter vlan 3 and port 5060 dosen't work Last line of wireshark screen says: Ethnert <live capture="" in="" progress=""> No packets. Switching off the capture filter all packets visible. Here I can set a dispaly filter like "sip" an this will filter all traffic on port 5060. Looking at a selectet packet in this case I can't see a information of vlan in the frame.

MichaelP's avatar MichaelP (2021-06-25 06:12:57 +0000) edit
more
  • delete

To the community,

could it be a problem of the protokoll or frames? Protokoll is PPPoE and frames are greater than 1500 bit. If it is so, how can I solve this?

MichaelP

MichaelP's avatar MichaelP (2021-06-25 06:43:44 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

If the packets are PPPoE encapsulated, you need to use the filter pppoes and port 5060. This is because the BPF filter engine needs to look at other offset locations for the port numbers, due to the PPPoE headers.

Hope this helps, if not, could you post the hex data of one packet that was captured without capture filter?

SYN-bit's avatar
18.5k
SYN-bit
answered 2021-06-25 11:44:28 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hello SYN-bit

thanks. Your help will work with wireshark 2.2.5 and pcap, but not with newest wireshark 3.4.6 and npcap. There must be changes for define capture filter and at time I can't find any information about. pppoes is not allowed as filter (red color), only ether proto 0x8846. If I add "&& port 5060" or "and port 5060" behind the filter is red an not workong. MichaelP

MichaelP's avatar MichaelP (2021-06-25 12:56:16 +0000) edit
more
  • delete

pppoes and port 5060 works for me (as in the capture filter is accepted and goes green) with npcap.

grahamb's avatar grahamb (2021-06-25 13:20:08 +0000) edit
more
  • delete

@MichaelP Did you select the right interface before typing in the capture filter? As capture filters are Link-layer specific, you need to have an Ethernet interface selected before entering the capture filter.

SYN-bit's avatar SYN-bit (2021-06-25 13:34:08 +0000) edit
more
  • delete

When the filter box is red, what text is in the StatusBar?

It might be easier to test capture filters using tcpdump and a capture file, then move it to Wireshark when working. (Examples in this Gitlab issue)

Chuckc's avatar Chuckc (2021-06-25 14:04:03 +0000) edit
more
  • delete

Hello to Community.

thanks all for your help. Yes, I select the interface before. I check diffrent sources in internet for building a capture filter and my filter dosen' work as expected. My last two actions: Test the filter by recommendet SYN-bit with wireshark 2.5.5 portable and pcap. Works excellent! Be informed that I used this filter before in my installation of wireshare 3.4.6 without any success. Next: Try wireshark 3.0.9 with npcap an filter pppoes && prt 5060. What surprise - it works. Same under wireshark 3.4.6 with npcap dosen't. So is the question: New feature or bug. But my problme is now solved. Thanks again. MichaeP

MichaelP's avatar MichaelP (2021-06-25 15:19:20 +0000) edit
more
  • delete
add a comment see more comments