-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks! It was the vlan bit. I was assuming the forwarding switch would send the mirrored packets stripped of any tags.
Guy Harris wrote: > Cliff Fogle wrote: > >> This also applies to tcpdump. > > Not surprising, as this is probably a libpcap issue, and both > tcpdump and Wireshark/TShark use libpcap to do capturing. > >> If I do an unfiltered capture and use a display filter I see >> these packets, > > If you look at those packets, is there an 802.1Q VLAN header > between the Ethernet header and the IP header? > > If so, you need to prefix the filters with "vlan and", e.g. "vlan > and dst port 80". _______________________________________________ > Wireshark-users mailing list Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHfpvA64Kvi7PwWiQRAvV1AJ4q62QwcBDK0DAMwgb3NBVvOVht+wCfVeX8 M4szUSjnhWtLf8cq2iZq+WU= =wRFI -----END PGP SIGNATURE----- _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
