This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t filter MAC address in a CAP file, help?

0

Hey guys, I have 80 gigs of capture logs in CAP files. I need to filter a specific MAC address from those in order to save the files to a much smaller file size. For some reason, I am able to find the MAC address by looking at the Source address from within 1 of the CAP files but if I try to filter that MAC address from the file it finds nothing. My filter is: eth.addr==xx:xx:xx:xx:xx:xx

What am I doing wrong? Thanks a lot !

asked 22 Dec '12, 15:02

Gaarzen's gravatar image

Gaarzen
1111
accept rate: 0%


One Answer:

0

It looks like you are doing it right. What happens if you select the source address and then rightclick on it and chose for "prepare as filter". What does it show in the filter field now?

When I have to extract data from a collection of pcap files I do it in a command shell and I try to use tcpdump instead of tshark if my filter can be done with BPF filters. This works much quicker as there is no need to do full dissection of the packets. Here's my recipe :-)

mkdir tmp
for file in *.pcap
do
   tcpdump -r $file -w tmp/$file "ether host xx:xx:xx:xx:xx:xx"
done
mergecap -w extract.pcap tmp/*
rm -rf tmp

answered 22 Dec '12, 15:29

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%