This is a static archive of our old Q&A Site. Please post any new questions and answers at

eth.addr filter ?


Hi, I am trying to use the eth.addr filter, i need to see only the comunication from and to this mac address i use the filter eth.addr==2c:39:96:54:89:48 but blank page... i have 2c:39:96:54:89:48 traffic, when i use sll.src.eth == 2c:39:96:54:89:48 i have a lot of packet.

I am using the version 1.10.3 of wireshark.

asked 27 Nov '13, 00:47

Pouet-Lord's gravatar image

accept rate: 0%

edited 27 Nov '13, 06:14

cmaynard's gravatar image

cmaynard ♦♦

One Answer:


You apparently have a Linux cooked-mode capture file. You can verify this in Wireshark by viewing the encapsulation entry in the Statistics -> Summary window. This means that there is no Ethernet encapsulation, thus the eth.addr (or any other eth filter) won't match any packets. As you've discovered, you'll need to use the sll filters.

For further information on this topic, refer to the Linux cooked-mode capture wiki page.

answered 27 Nov '13, 06:13

cmaynard's gravatar image

cmaynard ♦♦
accept rate: 20%

Hello, thank you for your reply.

(28 Nov '13, 00:03) Pouet-Lord