Ethereal-users: Re: [Ethereal-users] getting MAC addresses from ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "M.C. van den Bovenkamp" <marco@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 28 Jan 2002 07:26:03 +0100
Rakesh Arora wrote:

> > '!(ether[0:2] = 0x0002 and ether[2] = 0x2d) and
> > !(ether[0:2] = 0x0050 and ether[2] = 0x8b)' I think.
> > But double check my boolean logic; it's
> > rusty and it's almost 2:30 AM here :-).
> 
> Thanks Marco. I should be able to combine the third
> byte with the first two bytes. If so, my capture
> expression would look like:
> !(ether[6:3] = 0x00022d) and !(ether[6:3]=0x00508b).
> Is this right? (I am looking at the source addresses,
> so it is at an offset of 6)

Not according to the tcpdump manpage you can't:

"Size  is
 optional  and  indicates the number of bytes
 in the field of interest; it can  be  either
 one, two, or four, and defaults to one."

And tcpdump doesn't accept it. 

		Regards,

			Marco.