Trying to get better at filtering in wireshark and understand the subtleties. Looking at ways to filter based on Ethernet address (MAC). First thing is separating bcast/mcast from normal addresses.
I used the IG bit line under Destination under Ethernet and did Apply As Filter -> Selected. This produces eth.ig == 1 (which appears to work). Choosing Not Selected produces !(eth.ig == 1), which also works.
My first thought (before playing with Not Selected, etc.) was to use eth.ig == 0 to screen out bcast/mcast. It appears to always evaluate to true.
Why is !(eth.ig == 1) not equivalent to eth.ig == 0?
asked 02 Apr '14, 12:20
That's probably because you always have two ethernet addresses in a frame, one for the source, one for the destination.
"!(eth.ig=1)" says "none of the two MACs may have a 1", which means both must be zero.
"eth.ig=0" says "one of the MACs must have a 0", which is only false when both have a one.
answered 02 Apr '14, 12:25
edited 02 Apr '14, 12:26