>> use colons, even though Ethereal documentation shows MACs with periods.
>Guy Harris: To which Ethereal documentation *on capture filters* are you
referring?
The one you get from Ethereal (V0.10.0) Help->Contents, Capture Filters
tab:
...
Some common examples:
---------------------
Example Ethernet: capture all traffic to and from the Ethernet address
08.00.08.15.ca.fe
ether 08.00.08.15.ca.fe
... <end of excerpt>
(I'm assuming that "Ethernet address" is the MAC address.)
> represented in hex digits. The hex digits may be
> separated by colons, periods, or hyphens:
> fddi.dst eq ff:ff:ff:ff:ff:ff
> ipx.srcnode == 0.0.0.0.0.1
> eth.src == aa-aa-aa-aa-aa-aa
Yeah, I see that (in the Ethereal.com man page), not sure how I missed that
before. Maybe I didn't look hard enough.
I can't see what I might have been looking at for tcpdump that lead me to
believe periods were used for the MAC. Today, I didn't see anything in
http://www.tcpdump.org/tcpdump_man.html that specifies colons, periods or
anything for the MAC. Maybe I was looking at something within Ethereal.com
that showed tcpdump (instead of providing a URL), but I can't find it now.
My major intent was to help others who may have capture filter problems,
and who looked at the Ethereal on-line (within the program) help for info
about capture filters, and assumed periods were OK and that "ether" without
"host" was OK.
Phil