This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Just want to See MAC Addresses - what is the filter wording?

0

Hi Big Time NEWBIE, just want to know the simple filter term for finding MAC addresses. Can someone please quickly tell me the right filter command string to display MAC only.

Also if the command can be written in a way to not show my own MAC address.

Thanks

PEter

asked 15 Jan '12, 01:31

morpheyous's gravatar image

morpheyous
1111
accept rate: 0%

What do you mean by "display MAC only"?

(15 Jan '12, 19:38) Guy Harris ♦♦

just want to apply a filter that display's only Mac addresses only. Dont know how to write the filter as I am a noob

Ta Pete

(16 Jan '12, 01:37) morpheyous

By "displays only MAC addresses" do you mean that you want to display only packets going to or from particular MAC addresses (but still display all the columns for those packets and, when you select a packet, display all the details of the packet)?

(16 Jan '12, 10:49) Guy Harris ♦♦

2 Answers:

1

remember not to type the qoutes

source mac filter: "ether.src == macaddress"

destination mac filter: "ether.dst == macaddress"

either mac filter: "ether.addr == macaddress"

to exclude a mac address just put a ! in front of your syntax

answered 15 Jan '12, 04:12

thetechfirm's gravatar image

thetechfirm
64116
accept rate: 0%

edited 16 Jan '12, 03:37

thetechfirm, thanks so much for replying, as mentioned I am a newbie, i tried placing your exact words in the filter box but got errors. Can u please advise of the exact terms to be put in the filter box, perhaps u can surround with "" for ease.

Thx

Pete

(15 Jan '12, 19:29) morpheyous

just edited my response for clarity. I assumed you wanted a display or post capture filter. capture filter syntax would be "ether host macaddress" (without the qoutes)

(16 Jan '12, 03:39) thetechfirm

look I am really sorry, but I get 'not a valid protocol error'

(16 Jan '12, 06:38) morpheyous

Hmmm... I just whipped this video up to illustrate. Let me know if it helps. http://www.youtube.com/watch?v=bvBfOpOYDOc

(16 Jan '12, 09:16) thetechfirm

Hi Tony, thanks heaps for the video, any chance we can chat on Skype - my user is 'callnplay'

Thx

Pete

(17 Jan '12, 01:05) morpheyous

I can chat tonight anytime after 6 pm EST. my skype id is thetechfirm

(17 Jan '12, 03:13) thetechfirm

Sorry Pete, got my days all mixed up. Got an install scheduled for tonight. Maybe some other time.

(17 Jan '12, 06:03) thetechfirm
showing 5 of 7 show 2 more comments

0

You can go to Statistics | Conversations.
Click on the tab Ethernet to get an overview of all the MAC addresses in the capture file.
Another option is to go to Statistics | Endpoints to open the "Enpoints"window.

BTW
You can learn more about display filters in the Wireshark User's Guide or in the Wireshark Wiki.

answered 16 Jan '12, 07:38

joke's gravatar image

joke
1.3k4934
accept rate: 9%