Problem using bridge...

I have two interfaces eth3 and eth4 both have been added to bridge br1
Also eth1 and eth2 are added to bridge br0.
eth3/eth4/br1 don't have any ip addresses..i.e. 0.0.0.0
Problem is.. I am able to capture the packets coming on eth3 by using tcpdump..
But not able to get these packets by using tshark..

re: Problem using bridge...

tcpdump is awesome because you can see everything - even if it's not processed by the interface. I use it all the time in testing my device configurations, because sometimes I will not see an established TCP connection, but I will be able to see stuff coming and being dropped by my box (indicating I did not configure it correctly).

I'm not familiar with tshark - are you looking to establish a connection, or just use 'tshark' to get something?

If you can see the info with tcpdump, you can always use that to capture packets...

re: Problem using bridge...

I am actualy trying to capture RTP packets...
I can get those on bridge with tcpdump but not with tshark/wireshark

re: Problem using bridge...

Well, you could do a number of things - I'm not familiar with tshark (though I'm more familiar with the Windows version of Wireshark), so I'm sorry I can't help you on that, but you could always pipe tcpdump to a file and filter out RTP, or create a sniffer box out of an old piece of hardware with a program that you are sure will be able to capture the RTP packets.

I'll try to play around with tshark today, but I'm not sure I'll have time - hope one of the other options helps in the meantime.

re: Problem using bridge...

Just out of curiosity - can you post the tshark command and options you have tried?

re: Problem using bridge...

tshark work similarly as tcpdump...
It has some advantages like you can specify filters ti capture the packets..
For example, If we want to capture the udp packets on port 5060 and put the result in some file..we can specify following command

tshark -f "udp port 5060" -i <interface> -w <file name>

Most of the time you'll get the packets trimmed..that it capture size is limited by default..so you can specify -XX and -s options for extensions and size resp..

If you've used the wireshark and its filter you would rather feel the power of tshark in terms of filter..
Again, writing filters is skill...I mostly used simple filters like I've written above..

re: Problem using bridge...

Well, linux version does provides the similar functionality with same UI..
Many time we got to work on remote servers...So this GUI part doesn't help much..that's why I love tshark...

re: Problem using bridge...

Yeah, and that's why I'm more versed with tcpdump - it's standard in the distros I'm used to using.

I haven't had time to install tshark - they had me running on-call this last week putting out fires. I'll try to get to it this week. Sorry!