Won't something like "arp.src.proto_ipv4 == 1.2.3.4 && arp.dst.proto_ipv4 ==
1.2.3.4" work. It would appear that you will have to specify a specific IP
address. I tried "arp.src.proto_ipv4 == arp.dst.proto_ipv4" and wireshark
decided it was an invalid filter
Noah Davids
=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Serendipity is a function of bandwidth
Message: 4
Date: Wed, 20 May 2009 18:21:22 +0200
From: j.snelders@xxxxxxxxxx
Subject: Re: [Wireshark-users] gratuitous ARP
To: "Community support list for Wireshark"
<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <49EC7C530001B5BC@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="US-ASCII"
Hi MTIA,
Try this display filter:
(arp.src.proto_ipv4 == 192.168.1.111) && (arp.dst.hw_mac ==
00:00:00:00:00:00)
It displays gratuitous arp requests and just a few other arp requests.
Hope this helps,
Joan
On Wed, 20 May 2009 10:10:24 +0100 MTIA wrote:
I'm looking to filter traffic so that only /gratuitous/ ARPs are
captured/displayed, but can't see a way to do this.
Any suggestions how I can achieve this?
MTIA
