This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture Filter ether dst not working

0

Hi, I have the following assignment. My problem is that when I type in ether in the filter, it turns red. Is that supposed to happen? When I type in ether src and then my mac address, it still doesn't work. Am I doing something wrong? Any help is appreciated. Thanks.

Find out which network interface is the active interface using Wireshark, and then use that interface to complete the rest of the activities.

Find out the Media Access Control address (MAC address, or Ethernet address) on the active interface.


Read the documentation on www.wireshark.org and learn what is Capture Filter.


Learn to use capture filter to record interested packets.

Examples of capture filters (replace the MAC address with the one you find in step 2)

    record Ethernet frame with destination address of “00:25:00:41:96:62”:

ether dst 00:25:00:41:96:62

    record Ethernet frame with source address of “00:25:00:41:96:62”:

ether src 00:25:00:41:96:62

    record only multicast frames

multicast and not ether dst ff:ff:ff:ff:ff:ff

    record only broadcast frames :

broadcast and ether dst ff:ff:ff:ff:ff:ff

asked 08 Dec ‘13, 19:40

heisenberg55's gravatar image

heisenberg55
1111
accept rate: 0%

One Answer:

1

Let me just give you a hint...

Please read about 'Capture Filters' and 'Display Filters' in the Wireshark documentation.

They are different; each type is entered in a different place in the GUI.

(A web search for 'wireshark "display filter" "capture filter"' will also give lots of info).

answered 08 Dec '13, 19:59

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

Thanks for the response. I looked around and found the codes eth.src and eth.dst. Maybe the code was wrong on the assignment or maybe I have a newer or older version of wireshark?

(08 Dec '13, 20:12) heisenberg55
1

Again: I'm going to suggest that you do some reading & research to understand the difference between a "capture filter" and a "display filter" in Wireshark. :)

The syntax and verbs, etc used for each are different and are entered in different places in the GUI.

Your assignment specifically mentions using a "capture filter".

(08 Dec '13, 20:27) Bill Meier ♦♦

I figured it out! I was supposed to use capture options. Thanks for the help. I appreciate it.

(08 Dec '13, 21:56) heisenberg55