<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:o = "urn:schemas-microsoft-com:office:office"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1593" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=154554616-11052007><FONT face=Arial
color=#800080 size=2>Sounds like a bug in the filter interpretation code
(probably exists in the base pcap libraries)... </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=154554616-11052007><FONT face=Arial
color=#800080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=154554616-11052007><FONT face=Arial
color=#800080 size=2>802.1Q encapsulation wraps the entire packet, so unless the
filter application is specifically built to recognize the encapsulation, the
packet will not be recognized as an IP packet, and so no IP address will be
found. If no IP address is found, the packet doesn't match your filter,
etc.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#800080 size=2></FONT> </DIV>
<DIV><SPAN class=154554616-11052007><FONT face=Arial color=#800080
size=2>SLH.</FONT></SPAN></DIV><!-- Converted from text/plain format -->
<P><FONT size=2>---<BR>Steighton
Haley
shaley@mcafee.com<BR>Software Engineer<BR><BR>"Why do nerds confuse Halloween
and Christmas? Because OCT31=DEC25"</FONT> </P>
<DIV> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #800080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> winpcap-users-bounces@winpcap.org
[mailto:winpcap-users-bounces@winpcap.org] <B>On Behalf Of </B>Keith
French<BR><B>Sent:</B> Friday, May 11, 2007 6:25 AM<BR><B>To:</B>
winpcap-users@winpcap.org<BR><B>Subject:</B> [Winpcap-users] WinPcap 4 &
Cisco Spanned Ports<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT face=Arial size=2>I am using Tshark supplied
with Wireshark V0.10.5 and trying to use a capture filter when a
monitoring a Cisco Catalyst 2950 span port.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">It is a Cisco Catalyst 2950EI
running IOS version 12.1(20EA2)</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">I am trying to span a trunk
port and look at 802.1Q VLAN headers, but if I specify a valid capture filter
of host 10.10.10.10 no packets are captured. I have found it only affects
Tshark when the encapsulation dot1q is added to the destination interface of a
monitor session. The problem would seem to be with WinPcap (tried versions 3.1
and 4.0) as Netasyst is fine.</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">Let me explain in more
detail:-</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">Interface fa0/24 on the
Catalyst 2950EI is a 802.1Q trunk to another 2950EI and interface fa0/4
is where the TShark PC is connected to. Using this span session:-.</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">monitor session 1 source
interface fa0/24</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">monitor session 1 destination
interface fa0/4</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">This works OK with:-</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">tshark -i 3</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">or</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">tshark -i 3 -f "host
10.10.10.10"</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">If the monitor session is
changed to include the encapsulation of dot1q:-</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">monitor session 1 source
interface fa0/24</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">monitor session 1 destination
interface fa0/4 encapsulation dot1q</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">This works OK with:-</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">tshark -i 3</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">but no packets are captured
with:-</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">tshark -i 3 -f "host
10.10.10.10"</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">With Netasyst using the same IP
address as a capture filter e.g. to include IP 10.10.10.10 to any</P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">It captures fine with or
without the encapsulation dot1q </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face=Arial size=2>Any
Ideas?</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face=Arial
size=2></FONT> </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face=Arial size=2>Keith
French.</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P>
<P class=MsoNormal
style="MARGIN: 0cm 0cm 0pt"> <o:p></o:p></P></DIV></BLOCKQUOTE></BODY></HTML>