Trying to get better at filtering in wireshark and understand the subtleties. Looking at ways to filter based on Ethernet address (MAC). First thing is separating bcast/mcast from normal addresses. I used the IG bit line under Destination under Ethernet and did Apply As Filter -> Selected. This produces eth.ig == 1 (which appears to work). Choosing Not Selected produces !(eth.ig == 1), which also works. My first thought (before playing with Not Selected, etc.) was to use eth.ig == 0 to screen out bcast/mcast. It appears to always evaluate to true. Why is !(eth.ig == 1) not equivalent to eth.ig == 0? Thanks. asked 02 Apr '14, 12:20  artswri |
One Answer:
That's probably because you always have two ethernet addresses in a frame, one for the source, one for the destination. "!(eth.ig=1)" says "none of the two MACs may have a 1", which means both must be zero. "eth.ig=0" says "one of the MACs must have a 0", which is only false when both have a one. answered 02 Apr '14, 12:25  Jasper ♦♦ edited 02 Apr '14, 12:26 |
Thanks, it's now obvious to me what's going on! So what I really wanted was eth.dst.ig == 0 (which is not a legal expression AFAICT - the wireshark I'm using does not like it). But I can live with the alternative ways to express...
Yes, it looks like Wireshark does not allow to specify the MAC for which you want the value to be checked. You could enter an enhancement request at http://bugs.wireshark.org if you like :-)