I am using Wireshark 1.6.9 currently, but have no particular requirement to use that version and plan to upgrade at some point anyway. I know that I can filter on a specific Ethernet MAC address using the capture filter For example, asked 15 Aug '12, 15:47  multipleinte... |
One Answer:
There are no keywords that let you do that, but you can accomplish what you want with a byte offset filter. I was able to limit my capture to traffic to and from Netopia devices (OUI 00:0f:cc) with: (ether [0:4] & 0xffffff00 = 0x000fcc00) or (ether [6:4] & 0xffffff00 = 0x000fcc00) This was only a first attempt for me at using byte offset notation in a capture filter, so maybe someone can shorten the syntax. The problem I ran into was that we're trying to examine three bytes, but the length value in a capture filter byte offset expression can only be 1, 2, or 4 bytes. So "ether[0]" is valid, as is "ether[0:2]" or "ether[0:4]" but not "ether[0:3]". This filter uses "ether[0:4]" and "ether[6:4]" to examine the first four bytes of the destination MAC address and source MAC address, but then uses "& 0xffffff00" to mask the fourth byte before making the comparison. You could also just examine each byte individually: (ether[0]=0x0 and ether[1]=0x0f and ether[2]=0xcc) or (ether[6]=0x0 and ether[7]=0x0f and ether[8]=0xcc) This is a longer and more awkward looking filter, but you might finder it easier to create since the comparison logic is more straightforward. answered 15 Aug '12, 19:51  Jim Aragon |
