I'm trying to look for a potential duplicate MAC Address. I've read that the . or * is suppose to be the wildcard, but the filter isn't accepting that.
I've tried
eth.addr == 00:04:f2:ae:55:33
eth.addr == 00:04:f2:**:**:**
eth.addr == 00:04:f2:*
eth.addr == 00:04:f2:.
eth.addr == 00:04:f2:..:..:..
eth.addr == 00:04:f2:.:.:.
The filter just remains red and won't accept the filter.
I'm trying to look for a potential duplicate MAC Address.
You might want to use tshark along with other CLI tools to help with this? For example:
tshark -r file.pcapng -Y "eth.addr[0:3] == 00:04:f2" -T fields -e eth.src -e ip.src > eth_addr.txt
tshark -r file.pcapng -Y "eth.addr[0:3] == 00:04:f2" -T fields -e eth.dst -e ip.dst >> eth_addr.txt
sort eth_addr.txt | uniq -c
WSUG 6.4.4. Slice Operator:
eth.addr[0:3] == 00:04:f2
Asked: 2023-07-06 19:19:54 +0000
Seen: 157 times
Last updated: Jul 08 '23
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
