Ask Your Question

Revision history [back]

You said, "I want to capture all traffic from devices with MAC address containing 00:0C:22."

You probably can't create a capture filter for MAC addresses containing 00:0C:22 anywhere in the MAC address fields. But if you know where in the MAC address field those three bytes will be, you can use a byte-offset capture filter.

To capture packets where either the source or destination MAC address starts with 00:0C:22:

(ether [0:4] & 0xffffff00 = 0x00000c22) or (ether [6:4] & 0xffffff00 = 0x00000c22)

In the capture filter expressions "ether[0:4]" and "ether[6:4]", 0 and 6 are the starting bytes for the destination MAC address field and the source MAC address field respectively, and 4 is the number of bytes to examine. Unfortunately, you want to examine three bytes, but you can only put 1, 2, or 4 after the colon, so three is not a valid value. However, the "& 0xffffff00" expression masks off the fourth byte.

You could also just examine each byte individually:

(ether[0]=0x0 and ether[1]=0x0c and ether[2]=0x22) or (ether[6]=0x0 and ether[7]=0x0c and ether[8]=0x22)

You said, "I want to capture all traffic from devices with MAC address containing 00:0C:22."

You probably can't create a capture filter for MAC addresses containing 00:0C:22 anywhere in the MAC address fields. But if you know where in the MAC address field those three bytes will be, you can use a byte-offset capture filter.

To capture packets where either the source or destination MAC address starts with 00:0C:22:

(ether [0:4] & 0xffffff00 = 0x00000c22) 0x000c2200) or (ether [6:4] & 0xffffff00 = 0x00000c22)0x000c2200)

In the capture filter expressions "ether[0:4]" and "ether[6:4]", 0 and 6 are the starting bytes for the destination MAC address field and the source MAC address field respectively, and 4 is the number of bytes to examine. Unfortunately, you want to examine three bytes, but you can only put 1, 2, or 4 after the colon, so three is not a valid value. However, the "& 0xffffff00" expression masks off the fourth byte.

You could also just examine each byte individually:

(ether[0]=0x0 and ether[1]=0x0c and ether[2]=0x22) or (ether[6]=0x0 and ether[7]=0x0c and ether[8]=0x22)