This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

eth.addr filter ?

0

Hi, I am trying to use the eth.addr filter, i need to see only the comunication from and to this mac address i use the filter eth.addr==2c:39:96:54:89:48 but blank page... i have 2c:39:96:54:89:48 traffic, when i use sll.src.eth == 2c:39:96:54:89:48 i have a lot of packet.

I am using the version 1.10.3 of wireshark.

asked 27 Nov '13, 00:47

Pouet-Lord's gravatar image

Pouet-Lord
16114
accept rate: 0%

edited 27 Nov '13, 06:14

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


One Answer:

2

You apparently have a Linux cooked-mode capture file. You can verify this in Wireshark by viewing the encapsulation entry in the Statistics -> Summary window. This means that there is no Ethernet encapsulation, thus the eth.addr (or any other eth filter) won't match any packets. As you've discovered, you'll need to use the sll filters.

For further information on this topic, refer to the Linux cooked-mode capture wiki page.

answered 27 Nov '13, 06:13

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Hello, thank you for your reply.

(28 Nov '13, 00:03) Pouet-Lord