Wireshark Filter!

[sleky]

Hello all...

Just trying to figure out how to filter MAC Addresses...

From what I gathered on their FAQ and other google searches, I've come up with:

eth eth.src == ff:ff:ff:ff:ff:ff to be the filter, but its not liking that so much. =[

Any help would be GREATLY appreciated!!!

 

[k3y3n1n]

if you go to capture you should be able to select mac address or type it in and press filter.. I haven't tried to filter while the capturing taking place but after i got my cap file i filter it that way

 

[sleky]

do you know what the filter is? typing in 'mac' only gives me 'mac-lte' and 'macc' neither of which is a physical address filtering. =[ i know its possible, dang it! LoL! thanks for the reply!

 

[Brian_tii]

Hello all...

Just trying to figure out how to filter MAC Addresses...

From what I gathered on their FAQ and other google searches, I've come up with:

eth eth.src == ff:ff:ff:ff:ff:ff to be the filter, but its not liking that so much. =[

Any help would be GREATLY appreciated!!!

Haven't had a chance to test it... but below was an example I found on google... looks about right to me. It seems you maybe using too many 'eth''s in there... example to filter on IP address I KNOW is ip.addr==<blah>...


eth.addr==08.00.08.1f.0e.1e

also

eth.src==<blah>

Good luck,

Brian

 

[sleky]

Best answer selected by sleky.

 

[sleky]

eth.addr==08.00.08.1f.0e.1e

also

eth.src==<blah>

Brian. Thats the money shot. ;D Thank you sir!!!

 

[Brian_tii]

Np, glad it's working for ya.

 

[chand_05]

I don't think there is a direct filter to capture multicast data. (eth.dst[0]&1) will filter both multicast and broadcast. So, from this exclude broadcast. It will be like (eth.dst[0]&1) && !eth.dst==ff:ff:ff:ff:ff:ff