![]() ![]() If the router is linux-based, you may run tcpdump on it, saving the capture to a file and download the file for opening in Wireshark on your PC, or pipe it to the PC if storage space is small (see other Questions on this site for a howto).įor capturing at one of the devices involved in the captured communication (the router) one way or another, it is not important whether your PC's VPN interface shares a subnet with the captured devices' interfaces or not. I need to create a display filter that does the following: For each source IP address, list all destination IP addresses, but only list unique protocols for. So, the following should resolve your problem as you have asked it: dumpcap -i1 -b filesize:100000 files:200 -f not src host 10.213.121. It may also be possible to run a capture directly on the router and let it store it into a file (many of them allow this, albeit most of them have storage space limitation so you can only capture short periods of time) or, instead, to send you a copy of the traffic matching a capture filter encapsulated into UDP packets with a special header (this is what e.g. The problem is that dumpcap requires the filter expression to be quoted, unlike TCPDump, where it may be quoted (or will require quotes if it includes a BPF filter or other shell-digested characters). If, however, both your PC's VPN address and the two remote devices are in 10.11.0.0/16 subnet, your chances are higher if you can convince the virtual switch at the remote end to send a copy of the traffic between the two devices to your VPN interface's virtual MAC address. Keep in mind that the eth. In this case, your chances for direct capture are very low because there is a routing between the two subnets. That is an Ethernet MAC address, not an IP address, so you filter it with eth.src, not ip.src.Also, since youre attempting to use the resolved Ethernet address (with the OUI), then youll actually need to use eth.srcresolved'CompalIndc:d9:3e', since eth.src is for unresolved MAC addresses. The matches operator makes it possible to search for text in string fields and byte sequences using a regular expression, using Perl regular expression syntax. Neither one will require DNS resolution since they search on the web host. You haven't provided your topology, but I assume that your PC has a normal internet connection and a VPN interface which gets an address from the 10.11.7.0/24 subnet while the devices you wish to capture are in 10.11.27.0/24 subnet. Assuming its http web traffic, try http.host contains '.com'. That depends on what exactly means remote. While the answer provided by jon-ander-ortiz-durántez is basically correct, according to the tshark man page, theres actually nothing wrong, per se, with your original attempt, at least according to the current documentation. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |