You can create a filter that manually looks at the mac address fields in the ethernet header. Here is what the normal "ether host 11:22:33:44:55:66" looks like in BPF code:
$ tcpdump -d ether host 11:22:33:44:55:66
(000) ld [8]
(001) jeq #0x33445566 jt 2 jf 4
(002) ldh [6]
(003) jeq #0x1122 jt 8 jf 4
(004) ld [2]
(005) jeq #0x33445566 jt 6 jf 9
(006) ldh [0]
(007) jeq #0x1122 jt 8 jf 9
(008) ret #65535
(009) ret #0
$
So in your case, you want to look at the ethernet destination address, which starts at offset o in the ethernet header and you will need the first 4 octets. This can be done with ether[0:4], then you need to mask all the bits in which you are not interested, this can be done with ether[0:4] & 0xffffff0f. Then compare this with your specific address range 0x0009fb06. The same goes for the ethernet source address which can be found at offset 6. This will result in the filter:
ether[0:4] & 0xffffff0f = 0x0009fb06 or ether[6:4] & 0xffffff0f = 0x0009fb06
This filter will result in the following BPF code:
$ tcpdump -d "ether[0:4] & 0xffffff0f = 0x0009fb06 or ether[6:4] & 0xffffff0f = 0x0009fb06"
(000) ld [0]
(001) and #0xffffff0f
(002) jeq #0x9fb06 jt 6 jf 3
(003) ld [6]
(004) and #0xffffff0f
(005) jeq #0x9fb06 jt 6 jf 7
(006) ret #65535
(007) ret #0
$
answered 29 May '13, 23:59
SYN-bit ♦♦
17.1k●9●57●245
accept rate: 20%
Ok. That is very similar with I had come up with, Mine had more brackets.
I'm also trying to do the inverse. Capture all packets, except for 0009fbx6 where x can be any number.
I think my brackets have been getting in the way.
I've tried not (ether[0:4] & 0xffffff0f = 0x0009fb06) or not (ether[6:4] & 0xffffff0f = 0x0009fb06)
But it doesn't seem to exclude those packets.
It's either:
or
I usualy take the filter that shows me all the traffic I do not want to see and then put "not (" and ")" around it.
So in your case:
Hmm... That did not appear to work for me. I'm still seeing that traffic.
Can you share a piece of the full tracefile (without the filter) on www.cloudshark.org?
If not, can you do the following:
tcpdump -r full.pcap -w incl.pcap "ether[0:4] & 0xffffff0f = 0x0009fb06 or ether[6:4] & 0xffffff0f = 0x0009fb06")tcpdump -r full.pcap -w excl.pcap "ether[0:4] & 0xffffff0f = 0x0009fb06 or ether[6:4] & 0xffffff0f = 0x0009fb06")capinfos -Tc *and show the output here.tshark -nlr excl.pcap -T fields -e eth.src -e eth.dst -c 5and show the output here.Unfortunately, I can't seem to do either. The box I'm performing the capture's on is on an isolated network, and I don't have access to getting files on or off the box. (I'm supposed to, but something is messed up with my VPN, and I can only seem to get RDP access to the box)
The box is windows, and only has wireshark (WinPCAP / tshark) on the box. I can added tcpdump for the same above reason.
Is there a way to do this with Just wireshark?
I will have a person onsite tomorrow, so there is a possibility that I can get files sneakernet'd off the box tomorrow, but that is iffy, because there supposed to be doing an install of something in a different part of the building.
Using Remote Desktop you can "share" a local drive with the remote machine, and then on the remote machine copy files to that "shared" drive. Look under Options | Local Resources | Local devices and resources | More ...