Wireshark-users: Re: [Wireshark-users] capture filter

From: "Luis Ontanon" <luis.ontanon@xxxxxxxxx>
Date: Fri, 4 May 2007 17:11:24 +0200
display filter syntax is described in
http://www.wireshark.org/docs/man-pages/wireshark-filter.html
(which BTW is included in wireshark's distribution)


if you know the source mac  always ends in 0007 the filter would be:

eth.src[4:2] == 00:07


On 5/4/07, Tom Greaser <tgreaser@xxxxxxxxxxx> wrote:

Im weak at filters...

can someone point me in a good direction.. Im trying to find a LAYER 2
multicast issue
on the network. that ask luck would have it.. pops up at different
times every day..

The only reason i know of this "issue" some of the switches log the
error..
C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET
and Cisco's fix.. find the sender and fix it..

so im trying to track it down.. but .. i get a few different  multicast
souce addresses

How can i set my capture to allow me to put in just part of the
ethernet address ?

i read the wiki and since i have HIGH volumes of data (gig links
running at 15-50 meg)
id like to do more than just the filter  "mulitcast"
i will if i have too..

i know the source mac  always ends in 0007

Thanks for any help / direction..



_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan