On Tue, Jul 24, 2001 at 10:42:08PM -0400, Hennessey,Sean wrote:
> Does anyone know of an easy way to set up a display filter to show all
> broadcast traffic (not just mac broadcast, but all broadcasts)?
Easy? I don't know how easy it is, but:
to look for MAC broadcasts, do
on Ethernet captures:
eth.addr == ff:ff:ff:ff:ff:ff
on FDDI captures:
fddi.addr == ff:ff:ff:ff:ff:ff
on Token Ring captures:
tr.addr == ff:ff:ff:ff:ff:ff
on 802.11 captures:
wlan.da == ff:ff:ff:ff:ff:ff || wlan.sa == ff:ff:ff:ff:ff:ff
to look for IPv4 broadcasts, do:
ip.addr == 255.255.255.255 || ip.addr == BB.BB.BB.BB
(where "BB.BB.BB.BB" is the broadcast address for the network you're on;
you may want to look for broadcast addresses from other networks, if
they might be forwarded to that network).
As tsome of the above expressions suggest, you can use C-style short-cut
Boolean operators such as "||" (or you can use "or" instead) to combine
expressions, so you could combine multiple such tests.
There are probably other broadcast addresses you'd want to look for,
e.g. IPX, IPv6, etc..
However, is there any reason to believe that a broadcast
IPv4/IPv6/IPX/etc. packet would *not* be sent as a MAC broadcast on your
network?