Ethereal-users: Re: [Ethereal-users] Capturing a range of MAC addresses

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Wed, 11 Feb 2004 14:48:53 -0800 (PST)
--- Marco van den Bovenkamp
<marco@xxxxxxxxxxxxxxxxxxx> wrote:
> menxit@xxxxxxxxx wrote:
> 
> > But I’m looking to capture all packets coming from
> > NICs which MAC address that start with 01:23:45
> > 
> > I have tried     ether src[0:3]=01:23:45     or   
> 
> > ether src[0:3] 01:23:45     or      ether host
> > src[0:3] 01:23:45       but all returns a parse
> error
> > 
> > I’m using ethereal 0.10.0, tcpdump 3.8, libpcap
> 0.8
> > 
> > Any ideas as to what I should use or what i'm
> doing
> > wrong.
> 
> It's 'proto[start:size]', where 'size' can be 1, 2
> or 4, with a default 
> of 1. So to do what you want something like
> 'ether[6:2] = 0x0123 and 
> ether[8] = 0x45' should work.
> 
> -- 
> 
> 		Groeten,
> 
> 			Marco.
> 
> 

Thanks Marco, works great.  I would never have known
to use hex since ‘ether 01:23:45:67:89:ab’ does not
use hex.

How come ether[10:4]=0x01234567 does not work?  It
doesn’t give me a parser error but it does not capture
any packets.

Thanks
-Mike


__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html