Thanks, that helps a lot. Now, to take it one step farther, I need to apply that capture filter to the client field (labeled in the display filter 'bootp.hw.mac_addr'). Is that possible in a capture filter? And if you're going to ask if the offset from the start of the packet is consistent, it's not.
Basically what I'm trying to do here is capture the DHCP packets for a certain brand of devices in the field, but they're behind a DHCP relay so I can't use the frame's hardware MAC address because it's always the DHCP relay device. Frank -----Original Message----- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 8:22 PM To: [EMAIL PROTECTED]; Community support list for Wireshark Subject: Re: [Wireshark-users] Capture filter for MAC addresses On Jan 25, 2008, at 4:24 PM, Frank Bulk wrote: > I've looked at the wiki page (http://wiki.wireshark.org/Ethernet) > but it's > not entirely clear to me how I would capture the traffic from all > those > devices that share the same OUI. > > For example, if the OUI of interest was Cisco (00:1b:0d), I have > tried this: > ether[0:4]=0x001B0D > but it didn't seem to work. I suspect I don't full understand the > usage of > the square brackets, and perhaps I need to use a mask of some kind. Capture filters can only test 1-byte, 2-byte, or 4-byte fields: $ man tcpdump ... expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier: ... expr relop expr True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression com- posed of integer constants (expressed in standard C syn- tax), the normal binary operators [+, -, *, /, &, |, <<, >>], a length operator, and special packet data acces- sors. Note that all comparisons are unsigned, so that, for example, 0x80000000 and 0xffffffff are > 0. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indi- cates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indi- cated by the keyword len, gives the length of the packet. so, yes, you'd have to either 1) do "ether[0] == 0x00 and ether[1] == 0x1B and ether[2] == 0x0D" or 2) use a mask - "(ether[0:4] & 0xFFFFFF00) == 0x001B0D00" (the latter generates less BPF code, and would run a little faster). _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
