Ask Your Question
0

How to create capture filter based on partial MAC address?

asked 2018-03-12 22:13:54 +0000

decrep gravatar image

I want to create a capture filter based on a partial MAC address. For example, I want to capture all traffic from devices with MAC address containing 00:0C:22. I have been using "ether host xx:xx:xx:xx:xx:xx" but this syntax requires a full MAC address-- it does not work with a partial MAC. What is the correct filter to use in this case? Thanks!

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
-1

answered 2018-03-12 22:36:15 +0000

Dan gravatar image

MAC Address: bc:05:43:41:28:06

Filter first 3 hex eth.addr[0:3] == bc:05:43

Filter last 2 hex eth.addr[4:2] == 28:06

and so on..

edit flag offensive delete link more

Comments

These are display filters so they will not work as capture filters due to the syntax difference.

Something like this is close:

ether[0:4]==0xdc53606f || ether[6:4]==0xdc53606f

This is for an Intel card, and should get anything sent or received. However, it is not an answer because you wanted three bytes as a match; only an even number of bytes will work here. For example, ether[0:3] will not work, but ether[0:2] or ether[0:4] will.

Bob Jones gravatar imageBob Jones ( 2018-03-12 23:37:33 +0000 )edit
1

answered 2018-03-13 03:21:28 +0000

Jim Aragon gravatar image

updated 2018-03-13 03:23:39 +0000

You said, "I want to capture all traffic from devices with MAC address containing 00:0C:22."

You probably can't create a capture filter for MAC addresses containing 00:0C:22 anywhere in the MAC address fields. But if you know where in the MAC address field those three bytes will be, you can use a byte-offset capture filter.

To capture packets where either the source or destination MAC address starts with 00:0C:22:

(ether [0:4] & 0xffffff00 = 0x000c2200) or (ether [6:4] & 0xffffff00 = 0x000c2200)

In the capture filter expressions "ether[0:4]" and "ether[6:4]", 0 and 6 are the starting bytes for the destination MAC address field and the source MAC address field respectively, and 4 is the number of bytes to examine. Unfortunately, you want to examine three bytes, but you can only put 1, 2, or 4 after the colon, so three is not a valid value. However, the "& 0xffffff00" expression masks off the fourth byte.

You could also just examine each byte individually:

(ether[0]=0x0 and ether[1]=0x0c and ether[2]=0x22) or (ether[6]=0x0 and ether[7]=0x0c and ether[8]=0x22)

edit flag offensive delete link more

Comments

I found out that it's to be used as a capture- instead of a display-filter under Capture > Capture Filters....

Starhowl gravatar imageStarhowl ( 2022-11-02 16:54:11 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2018-03-12 22:13:54 +0000

Seen: 28,447 times

Last updated: Mar 13 '18