I'm guessing that you probably really meant that you want to see all
"broadcast and multicast" traffic. This is the sort of traffic that will
flood a Layer 2 bridged/switched network and bring it to its knees.
While general-purpose IP broadcasts uses ff:ff:ff:ff:ff:ff to contact all
hosts on a LAN segment, but for instance NetBEUI uses 03:00:00:00:00:01 to
do the same thing. IP multicasts for protocols such as OSPF or say Video
multicasting use different addresses again.
To see this traffic in [t]ethereal you can specify the *capture* filter as
just "multicast". This will only capture such broadcast/multicast traffic.
Unfortunately Ethereal as yet can't do this in general as a display filter.
If you could, it might look something like "(eth.dst[0] & 0x01 ) == 1" .
This is because a multicast packet is one where the first bit is a 1. (Some
people also say correctly that the first byte is odd).
Martin Visser
Network Consultant - Compaq Global Services
Compaq Computer Australia
410 Concord Road
Rhodes, Sydney NSW 2138
Australia
Phone: +61-2-9022-5630
Mobile: +61-411-254-513
Fax:+61-2-9022-7001
Email:martin.visser@xxxxxxxxxx
-----Original Message-----
From: Guy Harris [mailto:gharris@xxxxxxxxx]
Sent: Wednesday, 25 July 2001 3:31 PM
To: Hennessey,Sean
Cc: 'ethereal-users@xxxxxxxxxxxx'
Subject: Re: [Ethereal-users] broadcast traffic display filter
On Tue, Jul 24, 2001 at 10:42:08PM -0400, Hennessey,Sean wrote:
> Does anyone know of an easy way to set up a display filter to show all
> broadcast traffic (not just mac broadcast, but all broadcasts)?
Easy? I don't know how easy it is, but:
to look for MAC broadcasts, do
on Ethernet captures:
eth.addr == ff:ff:ff:ff:ff:ff
on FDDI captures:
fddi.addr == ff:ff:ff:ff:ff:ff
on Token Ring captures:
tr.addr == ff:ff:ff:ff:ff:ff
on 802.11 captures:
wlan.da == ff:ff:ff:ff:ff:ff || wlan.sa == ff:ff:ff:ff:ff:ff
to look for IPv4 broadcasts, do:
ip.addr == 255.255.255.255 || ip.addr == BB.BB.BB.BB
(where "BB.BB.BB.BB" is the broadcast address for the network you're on;
you may want to look for broadcast addresses from other networks, if
they might be forwarded to that network).
As tsome of the above expressions suggest, you can use C-style short-cut
Boolean operators such as "||" (or you can use "or" instead) to combine
expressions, so you could combine multiple such tests.
There are probably other broadcast addresses you'd want to look for,
e.g. IPX, IPv6, etc..
However, is there any reason to believe that a broadcast
IPv4/IPv6/IPX/etc. packet would *not* be sent as a MAC broadcast on your
network?
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
