Wireshark · Ethereal-users: Re: [Ethereal-users] tethereal post capture filtering

Ethereal-users: Re: [Ethereal-users] tethereal post capture filtering

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Sun, 17 Jul 2005 10:52:41 -0700

M.N.A.Smadi wrote:

i have a large number of libpcap dump files that I want to write ascript to filter. I need some help with the following:Q: given a string value for a given field such as the mac address, i cani filter for that?


	tethereal -R "eth.addr == 00:0a:00:08:02:04" -r {file} -w {output file}

will, for an Ethernet capture, read file {file} and write to file{output file} the packets that have a source or destination address of00:0a:00:08:02:04. (Note that this will *only* work for Ethernetcaptures - you'd need to use "tr.addr" for Token Ring, "fddi.addr" forFDDI, "wlan.addr" for 802.11, etc..)


"-R" takes an arbitrary display filter string (in quotes) as an argument.

References:
- [Ethereal-users] tethereal post capture filtering
  - From: M.N.A.Smadi

Prev by Date: [Ethereal-users] failure to compiling ethereal
Next by Date: Re: [Ethereal-users] failure to compiling ethereal
Previous by thread: [Ethereal-users] tethereal post capture filtering
Next by thread: [Ethereal-users] failure to compiling ethereal
Index(es):
- Date
- Thread