This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter MAC address of a particular manufacturer

0

I have set up a statiion to capture WiFi data with Wireshark. The station is a Ubuntu laptop with a TP-Link TP-WN722M WiFi adaptor. The WiFi network interface is configured to capture in monitor mode and Wireshark in promiscuous mode.

I want to filter all traffic from a particular WiFi chip manufacture. I know its ID in the first 24bits of the MAC address, such as AA:BB:CC:xx:xx:xx. How can I set the filter?

Thank you. :)

asked 18 Aug '14, 21:13

garypty's gravatar image

garypty
31337
accept rate: 0%


One Answer:

0

From the 7th example on Wiresjhark Display Filters :

"The "slice" feature is also useful to filter on the vendor identifier part (OUI) of the MAC address, see the Ethernet page for details. Thus you may restrict the display to only packets from a specific device manufacturer. E.g. for DELL machines only:

  eth.src[0:3]==00:06:5B

(Note: this is a display filter not a capture filter)

It appears that a capture filter of the form ether[6:3] == 0xnnnnnn should also work (altho I haven't tried it).

answered 18 Aug '14, 21:31

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 18 Aug '14, 21:50

As I am capturing WiFi data, the fitler is wlan.sa[0:3]==00:06:5B . Thanks.

(19 Aug '14, 03:53) garypty