Wireshark-users: Re: [Wireshark-users] filter huge pcap file based on multiple mac address
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: <Tim.Poth@xxxxxxxxxxx>
Date: Fri, 30 Nov 2012 13:40:11 +0000

You can filter in wireshark using eth.addr

EG

Eth.addr eq 64:31:50:44:48:22 or Eth.addr eq 64:31:50:44:48:55

 

If you wanted to spit the file at the command prompt you could use tshark

EG

tshark -r infile.pcapng -w outfile.pcapng -R "eth.addr eq 64:31:50:44:48:22 or eth.addr eq 64:31:50:44:48:55"

 

You can also invert these filter by adding a ! and the beginning

EG

!Eth.addr eq 64:31:50:44:48:22

This will give you all frames that do not have a MAC address of 64:31:50:44:48:22

 

Hope that helps

tim

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Abbhishek Misra
Sent: Thursday, November 29, 2012 11:24 PM
To: Community support list for Wireshark
Subject: [Wireshark-users] filter huge pcap file based on multiple mac address

 

Hello All,

 

I have a large pcap file with lots of unwanted wireless packets.

 

I wish to filter/split it based on 2 mac address. 

Please let me know how to do that.

 

bye