Hello, I need to track a MAC address or a span of MAC addresses, any idea how to just filter with the MAC? As of now I have just filtered via LLC protocol it would be alot cleaner with just the mac.
Thanks in advance.
asked 02 Jun '11, 07:17
If you are using a display filter of eth.addr == xx:xx:xx:xx:xx:xx and you are not seeing any information being displayed/sniffed, then the traffic for that MAC address is not passing through the port you're sniffing on.
You can use a list for your MAC's in one display filter, but not a range, unless you switch to IP's instead of MAC's. For instance, tshark -i 1 -R "eth.addr eq xx:xx:xx:xx:xx:xx or eth.addr eq xx:xx:xx:xx:xx:xx"
If you are trying to trace MAC's on the switch you are also connected to, then you'll want to sniff from a port which is spanned/mirrored to the port which has inbound/outbound traffic of that switch, so that you will see all the traffic coming in and out of the switch.
By specifying the MAC address filter, eth.addr eq xx:xx:xx:xx:xx:xx you are filtering for all traffic to and from that associated MAC address. Like the MAC address, The LLC logical link control protocol is also layer 2, but is upper sublayer of Data Link Layer and won't affect the ability to capture the traffic unless you specify llc as a filter and there isn't any llc traffic, then you would get the blank screen.
Hope this is helpful, John
answered 08 Jun '11, 10:04
If you are only interested in traffic concerning a device with the MAC address from your comment, you can use this capture filter:
answered 02 Jun '11, 09:01