First time here? Check out the FAQ!

Ask Your Question
0

How to create capture filter based on partial MAC address?
 
  
 
  
 
 
 
 
 
 
    
        
        asked Mar 12 '18  
 
 decrep gravatar image  
 
 
 
 
 
I want to create a capture filter based on a partial MAC address.  For example, I want to capture all traffic from devices with MAC address containing 00:0C:22.  I have been using "ether host xx:xx:xx:xx:xx:xx" but this syntax requires a full MAC address-- it does not work with a partial MAC.  What is the correct filter to use in this case?  Thanks!
 
Preview: (hide)
 
 
 
 
          
 
add a comment
 
 
 
 
 
 2 Answers
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
1
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Mar 13 '18  
 
 Jim Aragon gravatar image  
 
 
 
 
    
        
        updated Mar 13 '18  
 
 
 
 
 
You said, "I want to capture all traffic from devices with MAC address containing 00:0C:22."
 
You probably can't create a capture filter for MAC addresses containing 00:0C:22 anywhere in the MAC address fields. But if you know where in the MAC address field those three bytes will be, you can use a byte-offset capture filter.
 
To capture packets where either the source or destination MAC address starts with 00:0C:22:
 
(ether [0:4] & 0xffffff00 = 0x000c2200) or (ether [6:4] & 0xffffff00 = 0x000c2200)
 
In the capture filter expressions "ether[0:4]" and "ether[6:4]", 0 and 6  are the starting bytes for the destination MAC address field and the source MAC address field respectively, and 4 is the number of bytes to examine. Unfortunately, you want to examine three bytes, but you can only put 1, 2, or 4 after the colon, so three is not a valid value. However, the "& 0xffffff00" expression masks off the fourth byte.
 
You could also just examine each byte individually:
 
(ether[0]=0x0 and ether[1]=0x0c and ether[2]=0x22) or (ether[6]=0x0 and ether[7]=0x0c and ether[8]=0x22)
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
I found out that it's to be used as a capture- instead of a display-filter under Capture > Capture Filters....
Starhowl gravatar imageStarhowl (
    
        Nov 2 '2
    )
add a comment
 
 
 
 
   
 
 
 
 
-1
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Mar 12 '18  
 
 Dan gravatar image  
 
 
 
 
 
MAC Address:  bc:05:43:41:28:06
 
Filter first 3 hex
eth.addr[0:3] == bc:05:43
 
Filter last 2 hex
eth.addr[4:2] == 28:06
 
and so on..
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
These are display filters so they will not work as capture filters due to the syntax difference.
Something like this is close:
ether[0:4]==0xdc53606f || ether[6:4]==0xdc53606f
This is for an Intel card, and should get anything sent or received.  However, it is not an answer because you wanted three bytes as a match; only an even number of bytes will work here.  For example, ether[0:3] will not work, but ether[0:2] or ether[0:4] will.
Bob Jones gravatar imageBob Jones (
    
        Mar 12 '18
    )
add a comment
 
 
 
 
 
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 
 
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Mar 12 '18  
 
 
        Seen: 29,025 times 
 

        Last updated: Mar 13 '18 
 
 
 
Related questions
 
 
 Is it possible to test a capture filter with already captured traffic? 
 
 How would I map this display filter to a capture filter? 
 
 Can't capture TLS certificate 
 
 Can I create a capture filter on a pcap file 
 
 Resolve frame subtype and export to csv 
 
 Error on Mac! Could not create profiles directory? Help! 
 
 How to go back to start screen? 
 
 Capture Filters - What am I doing wrong? 
 
 capture filter: access data behind tcp header 
 
 Capture Filter for TLS