This is our old Q&A Site. Please post any new questions and answers at

Can you create a capture filter where you specify the packet offset and value of the gateway's ip address and then have a not value for the packet offset and value of the gateway's mac address. In this way the only packet's captured would be the poisoner's mac address.

I can certainly create one as a post filter:

arp.src.proto_ipv4 == && !arp.src.hw_mac == xx:xx:xx:xx:xx:xx

Filtering in the capture would be far more efficient.



asked 10 May '12, 10:03

VictorD's gravatar image

accept rate: 0%

You can use

arp and ether[28:4]=0xc0a83001 and not (ether[22:2]=0x000c and ether[24:4]=0x29caffee)

ether[28:4] must specify the hexadecimal notation of your arp.src.proto_ipv4 address

ether[22:2]=0x000c and ether[24:4]=0x29caffee are representing your arp.src.hw_mac split up into the first 2 bytes and the last 4 bytes. I don't know why, but the ether[xx:length] command does not seem to accept other "length" values for the number of following bytes other than 1,2 or 4. If someone has an idea why that is or what I'm missing, please feel free to add more information about that.

permanent link

answered 10 May '12, 11:24

Landi's gravatar image

accept rate: 28%

Thanks. I'll try that.

(10 May '12, 12:24) VictorD

You can only use 1, 2 or 4 because the BPF virtual machine only knows how to handle bytes, 16 bit words and 32 bit words. The parser to compile your capture filter into BPF machine code is not enhanced to split "ether[22:6]" into bytes, 16 bit words or 32 bit words, so you need to do that manually.

(10 May '12, 15:32) SYN-bit ♦♦

Here is the resulting machine code on 1, 2 or 4 byte comparisons:

[email protected]:~$ sudo tcpdump -d "ether[24:1]=0x11"
(000) ldb      [24]
(001) jeq      #0x11            jt 2    jf 3
(002) ret      #65535
(003) ret      #0
[email protected]:~$ sudo tcpdump -d "ether[24:2]=0x1122"
(000) ldh      [24]
(001) jeq      #0x1122          jt 2    jf 3
(002) ret      #65535
(003) ret      #0
[email protected]:~$ sudo tcpdump -d "ether[24:4]=0x11223344"
(000) ld       [24]
(001) jeq      #0x11223344      jt 2    jf 3
(002) ret      #65535
(003) ret      #0
[email protected]:~$

As you can see, the BPF virtual machine has separate instructions to fetch a 1, 2 or 4 byte value from the packet.

(10 May '12, 15:33) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 10 May '12, 10:03

question was seen: 8,299 times

last updated: 10 May '12, 15:33

p​o​w​e​r​e​d by O​S​Q​A