This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture filter MAC

0

when i write in the filter i get an error, this is what i write: "ether host 'macaddress'". I want to filter it so it only displays packets from the host Mac-address. And when i starts to write 'ether' it doesn't come up white anything i can use. How can a make it capture the MAC address.

asked 19 Sep '12, 00:20

Munken's gravatar image

Munken
16113
accept rate: 100%

4 Answers:

1

eth.src==MACaddress

answered 19 Sep '12, 00:29

Munken's gravatar image

Munken
16113
accept rate: 100%

1

This is a display filter for a MAC address. The other syntax "ether host MAC" is a capture filter.

(19 Sep '12, 01:22) Jasper ♦♦

0

This filter can not apply on my Wireshark 1.12.5 but

ether src  00:08:15:00:08:15

Display as green for Wireshark

This answer is marked "community wiki".

answered 31 May '15, 19:37

Sky%20Rover's gravatar image

Sky Rover
61
accept rate: 0%

0

eg.

!(ether src xx:xx:xx:xx:xx:xx) && !(ether dst xx:xx:xx:xx:xx:xx)

works on Wireshark 2.2.2 as a display filter to see everything except for your own traffic

Regards A3an

This answer is marked "community wiki".

answered 24 Nov '16, 03:38

A3an's gravatar image

A3an
62
accept rate: 0%

edited 24 Nov '16, 03:40

0

To capture packets from MAC address XX:XX:XX:XX:XX:XX:

ether src XX:XX:XX:XX:XX:XX

If you've captured packets without a MAC source address filter, and want to filter the display to show only packets from MAC address XX:XX:XX:XX:XX:XX:

eth.src == XX:XX:XX:XX:XX:XX

if it's an Ethernet capture,

wlan.src = XX:XX:XX:XX:XX:XX

if it's an 802.11 capture, etc..

answered 24 Nov '16, 14:54

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%