On Fri, Feb 08, 2008 at 12:32:34PM -0500, Matthew Moeller wrote: > > I have a spanned port which spans 3 edge segments to our network. I'm > trying to create a filter which would isolate traffic from one of the three > edge routers that feed this port, can this be done? > > I tried the filter: gateway host <host> in the help section of the windows > version but can't seem to get the syntax correct. Wireshark itself rejects > my attempts upon start of capture. It seems to need a hostname (not ip > addy) in the <host> argument. Is it that this can only be used with > something along the lines of a proxy server and not a router?
The "gateway <host>" is specifically for a router and not for a proxy server. If you take a look at: http://www.tcpdump.org/tcpdump_man.html : gateway host True if the packet used host as a gateway. I.e., the Ethernet source or destination address was host but neither the IP source nor the IP destination was host. Host must be a name and must be found both by the machine's host-name-to-IP-address resolution mechanisms (host name file, DNS, NIS, etc.) and by the machine's host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.). (An equivalent expression is ether host ehost and not host host If you can't resolve the hostname to an ip-address or the ip-address is not in the arp table (which might be true if you're attching the Wireshark system on a span-port), you might not want to rely on the L3 and L2 lookups and fill in the blanks yourself. So if you want to collect only packets from router, you will have to use something like: "ether host <mac-address-of-router1> and not host <ip-address-of-router1>" Hope this helps, Cheers, Sake _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
