Troubleshooting an arp issue. Need to capture just a specific mac to see if and when it's requesting arp. Need to see both TX/RX frames. Looking for assistance with building the tshark filter Thanks in advance asked 30 Jul '15, 06:23  cfrass66 |
One Answer:
eth.addr == "MAC address" example: eth.addr == fe:ff:20:00:01:00 answered 30 Jul '15, 06:42  Amato_C showing 5 of 6 show 1 more comments |
If the answer provided solve your problem, could you accept the solution as answered (check mark below the thumbs-up and thumbs-down). This will help others in the future.
Thank you.
tshark -i eth4 eth.addr == fe:ff:20:00:01:00 Running as user "root" and group "root". This could be dangerous. Capturing on eth4 tshark: Invalid capture filter: "eth.addr == fe:ff:20:00:01:00"!This is what i get when attempting that filter? Is there an option that needs to be set ?
@cfrass66
tshark -i eth4 -f ether host fe:ff:20:00:01:00
The reason for the error was that the original form is in display filter syntax.
The second form is in capture filter syntax, which is the default syntax if not prefixed with a flag on the tshark command line.
Thank you guys!
tshark -i eth4 -f "ether host 08:81:f4:eb:81:4a"
Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.
If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.