[c-nsp] finding unicast flooding in Wireshark sniff

Rogelio scubacuda at gmail.com
Tue Jul 19 11:05:40 EDT 2011


Irina Arsenieva wrote:
> Hello there,
> I believe Wireshark display filter should look something like this:
> !(eth.ig == 1) and !(eth.dst == xx.yy.zz.tt.uu.vv),

So, this was very helpful.  Thx again, Irina.  Here's what I'm currently 
doing...

display filter: !(eth.ig == 1) && !(eth.dst == Cisco_11:22:33)

Then I'm drilling down from there

display filter: !(eth.ig == 1) && !(eth.dst == Cisco_11:22:33) && l2tp 
&& arp (&& other stuff to narrow down this big list)

Once I find an interesting packet, then I see if it ever originated on 
my segment

e.g.

display filter: eth.src == Apple_99:88:77

Thank you!


More information about the cisco-nsp mailing list