This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hey guys, I have 80 gigs of capture logs in CAP files. I need to filter a specific MAC address from those in order to save the files to a much smaller file size. For some reason, I am able to find the MAC address by looking at the Source address from within 1 of the CAP files but if I try to filter that MAC address from the file it finds nothing. My filter is: eth.addr==xx:xx:xx:xx:xx:xx

What am I doing wrong? Thanks a lot !

asked 22 Dec '12, 15:02

Gaarzen's gravatar image

Gaarzen
1111
accept rate: 0%


It looks like you are doing it right. What happens if you select the source address and then rightclick on it and chose for "prepare as filter". What does it show in the filter field now?

When I have to extract data from a collection of pcap files I do it in a command shell and I try to use tcpdump instead of tshark if my filter can be done with BPF filters. This works much quicker as there is no need to do full dissection of the packets. Here's my recipe :-)

mkdir tmp
for file in *.pcap
do
   tcpdump -r $file -w tmp/$file "ether host xx:xx:xx:xx:xx:xx"
done
mergecap -w extract.pcap tmp/*
rm -rf tmp
permanent link

answered 22 Dec '12, 15:29

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×349
×157
×48
×7

question asked: 22 Dec '12, 15:02

question was seen: 3,373 times

last updated: 22 Dec '12, 15:29

p​o​w​e​r​e​d by O​S​Q​A