This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TSHARK - mac address filter

0

Troubleshooting an arp issue. Need to capture just a specific mac to see if and when it's requesting arp. Need to see both TX/RX frames.

Looking for assistance with building the tshark filter

Thanks in advance

asked 30 Jul '15, 06:23

cfrass66's gravatar image

cfrass66
1112
accept rate: 0%


One Answer:

1

eth.addr == "MAC address"

example:

eth.addr == fe:ff:20:00:01:00

answered 30 Jul '15, 06:42

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

If the answer provided solve your problem, could you accept the solution as answered (check mark below the thumbs-up and thumbs-down). This will help others in the future.

Thank you.

(30 Jul '15, 07:03) Amato_C

tshark -i eth4 eth.addr == fe:ff:20:00:01:00 Running as user "root" and group "root". This could be dangerous. Capturing on eth4 tshark: Invalid capture filter: "eth.addr == fe:ff:20:00:01:00"!

This is what i get when attempting that filter? Is there an option that needs to be set ?

(30 Jul '15, 14:33) cfrass66
1

@cfrass66

tshark -i eth4 -f ether host fe:ff:20:00:01:00

(30 Jul '15, 15:17) Amato_C

The reason for the error was that the original form is in display filter syntax.

The second form is in capture filter syntax, which is the default syntax if not prefixed with a flag on the tshark command line.

(30 Jul '15, 15:47) grahamb ♦

Thank you guys!

tshark -i eth4 -f "ether host 08:81:f4:eb:81:4a"

(31 Jul '15, 15:42) cfrass66

Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(01 Aug '15, 01:16) grahamb ♦
showing 5 of 6 show 1 more comments