This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

possible to use the MAC info in the Wireshark manuf file as part of display filter?

0

Is it possible to use the MAC info in the Wireshark manuf file as part of display filter?

i.e. wlan.addr contains Apple

This would be much more efficient than building a filter with all 249 MAC prefixes associated with Apple in the manuf file

thanks

tom

asked 03 Sep '13, 08:51

tomh's gravatar image

tomh
16115
accept rate: 0%


One Answer:

6

Prior to revision 51742, this was not possible; however, I just committed that change so Wireshark should now support it, at least on the development trunk.

If you're running on a platform for which the buildbots generate installers, then you ought to be able to use an automated build with that revision (or later) once the buildbots successfully create the installers.

If you're on a platform for which no automated installer exists, then you will have to either build from the automated sources or directly from the repository. Or you can wait until 1.12.0 is released next year. Since this would be considered a new feature, it's not going to be backported to 1.10 or 1.8, since no new features go into stable releases.

answered 03 Sep '13, 14:32

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Great -- thanks!

I've downloaded and am now running 1.11.0-SVN-51747 from /trunk for OSX

What is the syntax for a display filter using the manuf values?

wlan.addr[0:] matches c0:63:94 is valid and filters correctly

wlan.addr{0:3] matches Apple is valid but filters out everything (i.e. nothing displayed)

thanks again

tom

(04 Sep '13, 06:33) tomh

according to the source code:

wlan.addr_resolved matches Apple

(04 Sep '13, 06:40) Kurt Knochner ♦

Right, there are actually 6 new filters:

  • wlan.da_resolved
  • wlan.sa_resolved
  • wlan.ra_resolved
  • wlan.ta_resolved
  • wlan.bssid_resolved
  • wlan.addr_resolved

Keep in mind that these filter names may change (or even disappear) in the future. There is a discussion now about improving this even further. In the end, the functionality will still be there, but the implementation may be different and thus so too will the filtering.

(04 Sep '13, 07:16) cmaynard ♦♦
1

As per the answer by @cmaynard, this is only in the latest trunk and hasn't been backported to 1.8 or 1.10. Your output indicates a 1.8.2 build.

Make sure you are building off the master branch.

(12 Sep '13, 07:55) grahamb ♦

Hi Kurt,

I'm using tshark 1.10.2 over my RPi. I'm also very interested in the usage of the Wireshark manuf file as part of display filter... that's why i got the last tshark version.

Unfortunately after executing the command: tshark -i wlan1 -R "wlan.addr_resolved matches Apple"

I receive an error due to neither wlan.addr_resolved nor Apple are field or protocol names.

Could you provide any advice based on your experience?

Thanks in advance, LeGramo

(25 Sep '13, 02:12) legramo