Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] Capture filter for ethernet range

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Jack Jackson <jack@xxxxxxxxxxxxxxx>
Date: Tue, 07 Nov 2006 15:49:26 -0800

At 03:26 PM 11/7/2006, Andrew Schweitzer wrote:

I have an enthernet range I want to sniff (00:80:44:00:00:00 -
00:80:44:ff:ff:ff).

The following filter is legal, and sort of looks right, but only seems
to capture packets where the packet's ethernet *destination* is the
specified range.

(ether[0:4]>=0x00804400 and ether[0:4]<=0x008044ff)

Any ideas?
Sure. It only captures destination packets because you are only checking the destination address. You need to also check for the source address. Assuming you want packets whose source or destination address is in the range: 

(ether[0:4]>=0x00804400 and ether[0:4]<=0x008044ff) or
(ether[6:4]>=0x00804400 and ether[6:4]<=0x008044ff)
  • Follow-Ups:
    • Re: [Wireshark-users] Capture filter for ethernet range
      • From: Andrew Schweitzer
  • References:
    • [Wireshark-users] Capture filter for ethernet range
      • From: Andrew Schweitzer
  • Prev by Date: [Wireshark-users] Capture filter for ethernet range
  • Next by Date: Re: [Wireshark-users] Response time Question
  • Previous by thread: [Wireshark-users] Capture filter for ethernet range
  • Next by thread: Re: [Wireshark-users] Capture filter for ethernet range
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation