[c-nsp] finding unicast flooding in Wireshark sniff
Rogelio
scubacuda at gmail.com
Tue Jul 19 11:05:40 EDT 2011
Irina Arsenieva wrote:
> Hello there,
> I believe Wireshark display filter should look something like this:
> !(eth.ig == 1) and !(eth.dst == xx.yy.zz.tt.uu.vv),
So, this was very helpful. Thx again, Irina. Here's what I'm currently
doing...
display filter: !(eth.ig == 1) && !(eth.dst == Cisco_11:22:33)
Then I'm drilling down from there
display filter: !(eth.ig == 1) && !(eth.dst == Cisco_11:22:33) && l2tp
&& arp (&& other stuff to narrow down this big list)
Once I find an interesting packet, then I see if it ever originated on
my segment
e.g.
display filter: eth.src == Apple_99:88:77
Thank you!
More information about the cisco-nsp
mailing list