Can you create a capture filter where you specify the packet offset and value of the gateway's ip address and then have a not value for the packet offset and value of the gateway's mac address. In this way the only packet's captured would be the poisoner's mac address. I can certainly create one as a post filter: arp.src.proto_ipv4 == xxx.xxx.xxx.xxx && !arp.src.hw_mac == xx:xx:xx:xx:xx:xx Filtering in the capture would be far more efficient. Thanks Victor asked 10 May '12, 10:03  VictorD |
One Answer:
You can use ether[28:4] must specify the hexadecimal notation of your arp.src.proto_ipv4 address ether[22:2]=0x000c and ether[24:4]=0x29caffee are representing your arp.src.hw_mac split up into the first 2 bytes and the last 4 bytes. I don't know why, but the ether[xx:length] command does not seem to accept other "length" values for the number of following bytes other than 1,2 or 4. If someone has an idea why that is or what I'm missing, please feel free to add more information about that. answered 10 May '12, 11:24  Landi |
Thanks. I'll try that.
You can only use 1, 2 or 4 because the BPF virtual machine only knows how to handle bytes, 16 bit words and 32 bit words. The parser to compile your capture filter into BPF machine code is not enhanced to split "ether[22:6]" into bytes, 16 bit words or 32 bit words, so you need to do that manually.
Here is the resulting machine code on 1, 2 or 4 byte comparisons:
As you can see, the BPF virtual machine has separate instructions to fetch a 1, 2 or 4 byte value from the packet.