Ethereal-users: Re: [Ethereal-users] filter for MAC range

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Julian Fielding <jfielding@xxxxxxxxxxxxxxx>
Date: Thu, 11 May 2006 13:21:43 +0100
Dan S Zaniewski on Fri, 5 May 2006 14:45:58 -0400 wrote:
> I am trying to make a filter with a source MAC of   00:00:BC:**:**:**

For display filters the answer is on the wiki (http://wiki.ethereal.com/DisplayFilters) and in ethereal-filter.html on your computer! (From Ethereal's help 
menu, or (Windows) Start > Programs > Ethereal > Ethereal Program 
Directory.) Look for "slice operator":

eth.src[0:3] == 00:00:BC

You can replace eth.src with eth.dst or eth.addr, which means source or 
destination. That is
eth.addr[0:3] == 00:00:BC
is equivalent to
eth.src[0:3] == 00:00:BC or eth.dst[0:3] == 00:00:BC

It's not so obvious for capture filters, because the language is less 
powerful [but see * below] and because the full documention is in the 
tcpdump manual. See http://wiki.ethereal.com/CaptureFilters for an outline and link to the tcpdump manual.

There's a slice operator but only three legal slice sizes (1, 2 or 4 
bytes), and it can only be applied to a few protocols. The "ether" 
protocol starts with destination mac address, and the & operator can be 
used to throw away the unwanted byte from a four byte slice. So:

Source:
ether[6:4]&0xFFFFFF00==0xBC00

Destination:
ether[0:4]&0xFFFFFF00==0xBC00

Either:
ether[0:4]&0xFFFFFF00==0xBC00 or ether[6:4]&0xFFFFFF00==0xBC00

* The capture filter language has some surprising conveniences. "ether 
host" acts like display filter "eth.addr==", and you don't need to repeat 
it with multiple addresses joined by || (or) or && (and). So this is the 
logical or of six == comparisons:
ether host 12:34:56:78:90:AB or 34:56:78:90:AB:CD or 56:78:90:AB:CD:EF

This captures all unicast packets exchanged by two devices:
ether host 12:34:56:78:90:AB and 34:56:78:90:AB:CD

Being lazy, I usually capture a short sample with no filter, identify 
relevant mac addresses, and use the display filter option "Prepare a 
Filter > ... or Selected" repeatedly (without applying) to get them all in 
the Display Filter dialog box, because that supports copy and paste. 
Select enough of the display filter text to include all the mac addresses, 
copy it, and clear the display filter. Go to capture filter, type "ether 
host ", paste and edit the result till it's like "ether host 
12:34:56:78:90:AB || 34:56:78:90:AB:CD || ...".

Regards, Julian.