This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MAC address

2
1

Hello, I need to track a MAC address or a span of MAC addresses, any idea how to just filter with the MAC? As of now I have just filtered via LLC protocol it would be alot cleaner with just the mac.

Thanks in advance.

asked 02 Jun '11, 07:17

aplatek's gravatar image

aplatek
31234
accept rate: 0%


3 Answers:

3

If you are using a display filter of eth.addr == xx:xx:xx:xx:xx:xx and you are not seeing any information being displayed/sniffed, then the traffic for that MAC address is not passing through the port you're sniffing on.

You can use a list for your MAC's in one display filter, but not a range, unless you switch to IP's instead of MAC's. For instance, tshark -i 1 -R "eth.addr eq xx:xx:xx:xx:xx:xx or eth.addr eq xx:xx:xx:xx:xx:xx"

If you are trying to trace MAC's on the switch you are also connected to, then you'll want to sniff from a port which is spanned/mirrored to the port which has inbound/outbound traffic of that switch, so that you will see all the traffic coming in and out of the switch.
(I'm assuming the traffic you are looking for is traveling to a destination on another switch, outside the network, or at least to your gateway).

By specifying the MAC address filter, eth.addr eq xx:xx:xx:xx:xx:xx you are filtering for all traffic to and from that associated MAC address. Like the MAC address, The LLC logical link control protocol is also layer 2, but is upper sublayer of Data Link Layer and won't affect the ability to capture the traffic unless you specify llc as a filter and there isn't any llc traffic, then you would get the blank screen.

Hope this is helpful, John

answered 08 Jun '11, 10:04

John_Modlin's gravatar image

John_Modlin
1205
accept rate: 0%

eth.src == 00:0c:cc:76:5d:37 Using this filter it still will not pick up my MAC is it because of the llc protocol?

(08 Jun '11, 08:09) aplatek

My answer above describes the relationship between LLC and the MAC addressing.
Can you describe your physical connectivity of your sniffer and the device of which you are trying to capture?

(10 Jun '11, 07:41) John_Modlin

1

Between the Ethernet wiki page and the user guide, you should find just about everything you need.

answered 02 Jun '11, 07:35

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

eth.dst == 00:0C:CC:76:4E:07 This filters out everything and that is right from the user guide. It makes the field blank? any ideas?

(02 Jun '11, 07:47) aplatek

Within the packet details pane, if you right-click on a MAC address of interest and choose, "Apply as filter -> Selected", what do you get?

(02 Jun '11, 09:56) cmaynard ♦♦

By the way, if you're not actually capturing the MAC addresses you're interested in, then you might want to review your capture setup.

(02 Jun '11, 17:39) cmaynard ♦♦

Blank screen.?

(08 Jun '11, 08:14) aplatek

eth.dst == 00:0C:CC:76:4E:07 This filters out everything and that > is right from the user guide. It makes the field blank? any ideas?

Blank screen.?

Yes. Your capture session does not have any traffic with a destination MAC address of 00:0C:CC:76:4E:07. If your packet list shows traffic before you apply this filter, and is blank after you apply this filter, then you are capturing something, but not traffic to this MAC address.

It might help people to help you if you answer cmaynard's question about what happens if you right-click a MAC address and choose "Apply as filter -> Selected."

(08 Jun '11, 11:25) Jim Aragon

1

If you are only interested in traffic concerning a device with the MAC address from your comment, you can use this capture filter: ether host 00:0C:CC:76:4E:07

answered 02 Jun '11, 09:01

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%