Ethereal Capture Filter for MAC Traffic

How to make an Ethereal packet capture filter for MAC (Ethernet) traffic.

One of the great strengths of Ethereal is its very powerful filtering language. This document describes some of its features specifically the use of primitives.

You can build packet capture filters and reuse them at any time. Take a look at Ethereal Setting Capture Filters for a description of how to make and reuse a simple filter.

Once you have mastered making a simple filter you can try some of the more advanced ones described in Ethereal Advanced Packet Capture Filtering.

Capturing specific MAC (Ethernet) Host traffic

You may also specify Ethernet addresses numerically or by name. So if the machine named FRED is also 008601123456 either can be used in the filter.

So in the Filter string, entering:

ether host FRED is the same as ether host 008601123456

This will capture packets to and from the FRED.

Optionally you may specify if the address is a destination or a source address.

ether dst host FRED is the same as ether dst host 008601123456 and will capture only traffic to the address.

Optionally you may specify if the address is a destination or a source address.

ether src host FRED is the same as ether src host 008601123456 and will capture only traffic from the address.

Capturing specific Ether type traffic

Primitives exist for capturing specific Ether types.

In the Filter string, entering:

ether proto ip is the same as ether proto 0800 and will capture all IP packets.

ether proto arp is the same as ether proto 0806 and will capture all ARP packets.

ether proto rarp is the same as ether proto 8035 and will capture all RARP packets.

ether proto decnet is the same as ether proto 6003 and will capture all DECNET packets.

ether proto lat is the same as ether proto 6004 and will capture all DEC LAT packets.

ether proto moprc is the same as ether proto 6002 and will capture all MOP RC packets.

ether proto mopdl is the same as ether proto 6001 and will capture all MOP DL packets.

Capturing Ethernet Broadcast and Multicast traffic

In the Filter string, entering:

ether broadcast

will capture all ethernet broadcast packets. The word ether is optional in this case.

In the Filter string, entering:

ether multicast

will capture all ethernet multicast packets. The word ether is optional in this case.

Capturing packets of a specified length

Primitives exist to allow you to specify a packet length.

In the Filter string, entering:

less 100 is the same as len <= 100 will capture packets less than or equal to 100 bytes.

In the Filter string, entering:

greater 100 is the same as len >= 100 will capture packets greater than or equal to 100 bytes.

To perform filtering on IP hosts and protocols go to Filtering IP Traffic.

For a description of even more options go to Filtering while capturing

---

About Us | Privacy Policy | Terms & Conditions | Site Map | Blog | Contact us | Customer Testimonials
CHAT WITH US | CALL US: 0800 612 1357 | EMAIL US: sales@openxtra.co.uk
Copyright © 2003-2008 OPENXTRA Limited All Rights Reserved. OPENXTRA Limited, Building Society Chambers, Wesley Street, Otley, LS21 1AZ.
Company registration number: 4641663. VAT No: GB808975581. WEEE Registration: WEE/EK0053TQ