Ask Your Question

display filtering and sll?

asked 2018-04-12 18:17:41 +0000

le0 gravatar image

So I have some capture files and I I'd like to view only traffic to/from a specific MAC address.

First I tried highlighting one the packets from my desired source and selecting right menu apply as filter. This set the display filter to be "eth.addr eq 78:bd:bc:5f:3a:07". But that shows no packets at all.

It turns out that my capture is from Linux and contains sll pseudo-link-layer info. I found that a filter like this works: "sll.src.eth == 78:bd:bc:5f:3a:07"

But how can I filter for that MAC as both source and destination? There doesn't seem to be the corresponding "sll.dst" (or dest) syntax/taxonomy. What am I missing?

(FYI, looking for traffic from a device that apparently registered itself with our routers DNS service as having the name "localhost" ! So far it seems to broadcast a lot to UDP port 15600.)

Cheers, Robb.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2018-04-12 19:03:54 +0000

Jasper gravatar image

I think the problem here is that you assume that the SLL pseudo header has source and destination addresses like an Ethernet header, which it doesn't. It only has a source, so that's why there is no destination filter. That means that - by the way the capture was taken - you always see the MAC the frame is coming from, but not where it was going to. But for your problem having the source address should be sufficient anyway, as long as you can catch the registration packet.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-04-12 18:17:41 +0000

Seen: 25 times

Last updated: Apr 12