You can filter in wireshark using eth.addr
EG
Eth.addr eq 64:31:50:44:48:22 or Eth.addr eq 64:31:50:44:48:55
If you wanted to spit the file at the command prompt you could use tshark
EG
tshark -r infile.pcapng -w outfile.pcapng -R "eth.addr eq 64:31:50:44:48:22 or eth.addr eq 64:31:50:44:48:55"
You can also invert these filter by adding a ! and the beginning
EG
!Eth.addr eq 64:31:50:44:48:22
This will give you all frames that do not have a MAC address of 64:31:50:44:48:22
Hope that helps
tim
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx]
On Behalf Of Abbhishek Misra
Sent: Thursday, November 29, 2012 11:24 PM
To: Community support list for Wireshark
Subject: [Wireshark-users] filter huge pcap file based on multiple mac address
Hello All,
I have a large pcap file with lots of unwanted wireless packets.
I wish to filter/split it based on 2 mac address.
Please let me know how to do that.