This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

eth.addr filter ?

Hi, I am trying to use the eth.addr filter, i need to see only the comunication from and to this mac address i use the filter eth.addr==2c:39:96:54:89:48 but blank page... i have 2c:39:96:54:89:48 traffic, when i use sll.src.eth == 2c:39:96:54:89:48 i have a lot of packet.

I am using the version 1.10.3 of wireshark.

eth.addr ethernet sll cooked display-filter

asked 27 Nov '13, 00:47

Pouet-Lord
16●1●1●4
accept rate: 0%

edited 27 Nov '13, 06:14

cmaynard ♦♦
9.4k●10●38●142

One Answer:

You apparently have a Linux cooked-mode capture file. You can verify this in Wireshark by viewing the encapsulation entry in the Statistics -> Summary window. This means that there is no Ethernet encapsulation, thus the eth.addr (or any other eth filter) won't match any packets. As you've discovered, you'll need to use the sll filters.

For further information on this topic, refer to the Linux cooked-mode capture wiki page.

answered 27 Nov '13, 06:13

cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%

Hello, thank you for your reply.

(28 Nov '13, 00:03) Pouet-Lord