tcpdump mailing list archives

Re: capturing packets with identical MAC for source and destination

From: Gisle Vanem <gvanem () broadpark no>
Date: Tue, 03 Sep 2013 16:06:25 +0200

"Lentes, Bernd" <bernd.lentes () helmholtz-muenchen de> wrote:

I'd like to capture all packets which have the same MAC-address for sender and destination.
But i don't know the MAC which is causing these messages. So i have to use an universal filter.

I tried to use "tcpdump 'ether[8:6] = ether[14:6]'". Beginning with byte 8 is the destination MACand beginning with byte 14 is the source MAC.

And each MAC has the size of 6 bytes.
But i got this message: "tcpdump: data size must be 1, 2, or 4". Is there a way to capture the desired 6 bytes ?


I think you'll have to split up in 2 checks. 1 for 4 bytes and 1 for 2 bytes.
Something like:
 tcpdump -d "(ether[8:4]=ether[14:4]) && (ether[12:2]=ether[18:2])"

(000) ld       [8]
(001) st       M[1]
(002) ld       [14]
(003) tax
(004) ld       M[1]
(005) jeq      x                jt 6    jf 13
(006) ldh      [12]
(007) st       M[4]
(008) ldh      [18]
(009) tax
(010) ld       M[4]
(011) jeq      x                jt 12   jf 13
(012) ret      #65535
(013) ret      #0

Looks like the pseudo-asm code is correct w/o knowing what 'tax' is.
(Note; I had to use '&&' in my shell to escape the '&').

--gv
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

capturing packets with identical MAC for source and destination Lentes, Bernd (Sep 03)
- Re: capturing packets with identical MAC for source and destination Gisle Vanem (Sep 03)
  - Re: capturing packets with identical MAC for source and destination Lentes, Bernd (Sep 03)
- Re: capturing packets with identical MAC for sourceand destination David Laight (Sep 03)