[opensuse] Wireshark filter problem OpenSUSE 11.0
I often use Wireshark and it appears that with the version included with 11.0, the filters no longer work properly. For example, I currently have my notebook computer plugged into a "mirror" port on a switch, which will allow me to monitor traffic to and from another switch port. If I don't use filters, I can see all the traffic for that other port. However, if I use a capture filer, as simple as "ip", which should only display IP traffic, I only see traffic to or from my computer, including broadcasts & multicast. I do not see any unicast traffic for the monitored system. Any ideas? tnx jk -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 18 July 2008 11:22:07 am James Knott wrote:
I often use Wireshark and it appears that with the version included with 11.0, the filters no longer work properly. For example, I currently have my notebook computer plugged into a "mirror" port on a switch, which will allow me to monitor traffic to and from another switch port. If I don't use filters, I can see all the traffic for that other port. However, if I use a capture filer, as simple as "ip", which should only display IP traffic, I only see traffic to or from my computer, including broadcasts & multicast. I do not see any unicast traffic for the monitored system.
Any ideas?
tnx jk
-- Use OpenOffice.org http://www.openoffice.org
What mode are you in on wireshark? Anything other than Promiscuous? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ben Kevan wrote:
On Friday 18 July 2008 11:22:07 am James Knott wrote:
I often use Wireshark and it appears that with the version included with 11.0, the filters no longer work properly. For example, I currently have my notebook computer plugged into a "mirror" port on a switch, which will allow me to monitor traffic to and from another switch port. If I don't use filters, I can see all the traffic for that other port. However, if I use a capture filer, as simple as "ip", which should only display IP traffic, I only see traffic to or from my computer, including broadcasts & multicast. I do not see any unicast traffic for the monitored system.
Any ideas?
tnx jk
-- Use OpenOffice.org http://www.openoffice.org
What mode are you in on wireshark? Anything other than Promiscuous?
Promiscuous only. The only difference is when I don't use filters I see everything, but with any filter I don't see much. One reason I want to filter on IP only, is to eliminate all those spanning tree broadcasts. I've also tried filtering on host address and have the same problem. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ben Kevan wrote:
On Friday 18 July 2008 11:22:07 am James Knott wrote:
I often use Wireshark and it appears that with the version included with 11.0, the filters no longer work properly. For example, I currently have my notebook computer plugged into a "mirror" port on a switch, which will allow me to monitor traffic to and from another switch port. If I don't use filters, I can see all the traffic for that other port. However, if I use a capture filer, as simple as "ip", which should only display IP traffic, I only see traffic to or from my computer, including broadcasts & multicast. I do not see any unicast traffic for the monitored system.
Any ideas?
tnx jk
-- Use OpenOffice.org http://www.openoffice.org
What mode are you in on wireshark? Anything other than Promiscuous?
Further on this. I've tried 3 different versions of Wireshark, including the one from 10.3, which had previously worked fine. All behave the same way, so perhaps this is a kernel problem. As soon as I enable any capture filter, I can only see traffic to/from the computer I'm running Wireshark on. If I don't use any filter, I see all the traffic. Not being able to use capture filters with Wireshark greatly reduces it's usefulness. This is something that worked well in 10.3 and earlier versions. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 21 July 2008 09:48:28 am James Knott wrote:
Further on this. I've tried 3 different versions of Wireshark, including the one from 10.3, which had previously worked fine. All behave the same way, so perhaps this is a kernel problem. As soon as I enable any capture filter, I can only see traffic to/from the computer I'm running Wireshark on. If I don't use any filter, I see all the traffic. Not being able to use capture filters with Wireshark greatly reduces it's usefulness. This is something that worked well in 10.3 and earlier versions.
Humm very strange.. what NIC do you have? Maybe i'll try it on my card to see if I get the same behavior. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ben Kevan wrote:
On Monday 21 July 2008 09:48:28 am James Knott wrote:
Further on this. I've tried 3 different versions of Wireshark, including the one from 10.3, which had previously worked fine. All behave the same way, so perhaps this is a kernel problem. As soon as I enable any capture filter, I can only see traffic to/from the computer I'm running Wireshark on. If I don't use any filter, I see all the traffic. Not being able to use capture filters with Wireshark greatly reduces it's usefulness. This is something that worked well in 10.3 and earlier versions.
Humm very strange.. what NIC do you have? Maybe i'll try it on my card to see if I get the same behavior.
It's the one built into my Thinkpad, a "PRO/100 VE" (Intel IIRC). I've been using Wireshark (& Ethereal) on this computer for about 6 years and it's always worked fine until now. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 21 July 2008 11:14:48 am James Knott wrote:
Ben Kevan wrote:
On Monday 21 July 2008 09:48:28 am James Knott wrote:
Further on this. I've tried 3 different versions of Wireshark, including the one from 10.3, which had previously worked fine. All behave the same way, so perhaps this is a kernel problem. As soon as I enable any capture filter, I can only see traffic to/from the computer I'm running Wireshark on. If I don't use any filter, I see all the traffic. Not being able to use capture filters with Wireshark greatly reduces it's usefulness. This is something that worked well in 10.3 and earlier versions.
Humm very strange.. what NIC do you have? Maybe i'll try it on my card to see if I get the same behavior.
It's the one built into my Thinkpad, a "PRO/100 VE" (Intel IIRC). I've been using Wireshark (& Ethereal) on this computer for about 6 years and it's always worked fine until now.
-- Use OpenOffice.org http://www.openoffice.org
Yeah.. I just want to check on my machine, to see if the new kernel 2.6.25.x (guessing that's what you are also running) changed something with the Intel PRO driver. Ben I'll let you know what i see when I give it a whirl. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Ben Kevan -
James Knott