I am using Wireshark 1.6.9 currently, but have no particular requirement to use that version and plan to upgrade at some point anyway. I know that I can filter on a specific Ethernet MAC address using the capture filter
asked 15 Aug '12, 15:47
There are no keywords that let you do that, but you can accomplish what you want with a byte offset filter. I was able to limit my capture to traffic to and from Netopia devices (OUI 00:0f:cc) with:
(ether [0:4] & 0xffffff00 = 0x000fcc00) or (ether [6:4] & 0xffffff00 = 0x000fcc00)
This was only a first attempt for me at using byte offset notation in a capture filter, so maybe someone can shorten the syntax. The problem I ran into was that we're trying to examine three bytes, but the length value in a capture filter byte offset expression can only be 1, 2, or 4 bytes. So "ether" is valid, as is "ether[0:2]" or "ether[0:4]" but not "ether[0:3]". This filter uses "ether[0:4]" and "ether[6:4]" to examine the first four bytes of the destination MAC address and source MAC address, but then uses "& 0xffffff00" to mask the fourth byte before making the comparison.
You could also just examine each byte individually:
(ether=0x0 and ether=0x0f and ether=0xcc) or (ether=0x0 and ether=0x0f and ether=0xcc)
This is a longer and more awkward looking filter, but you might finder it easier to create since the comparison logic is more straightforward.
answered 15 Aug '12, 19:51