Wireshark mailing list archives
Re: filter huge pcap file based on multiple mac address
From: <Tim.Poth () bentley com>
Date: Fri, 30 Nov 2012 13:40:11 +0000
You can filter in wireshark using eth.addr EG Eth.addr eq 64:31:50:44:48:22 or Eth.addr eq 64:31:50:44:48:55 If you wanted to spit the file at the command prompt you could use tshark EG tshark -r infile.pcapng -w outfile.pcapng -R "eth.addr eq 64:31:50:44:48:22 or eth.addr eq 64:31:50:44:48:55" You can also invert these filter by adding a ! and the beginning EG !Eth.addr eq 64:31:50:44:48:22 This will give you all frames that do not have a MAC address of 64:31:50:44:48:22 Hope that helps tim From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Abbhishek Misra Sent: Thursday, November 29, 2012 11:24 PM To: Community support list for Wireshark Subject: [Wireshark-users] filter huge pcap file based on multiple mac address Hello All, I have a large pcap file with lots of unwanted wireless packets. I wish to filter/split it based on 2 mac address. Please let me know how to do that. bye
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- filter huge pcap file based on multiple mac address Abbhishek Misra (Nov 29)
- Re: filter huge pcap file based on multiple mac address Tim.Poth (Nov 30)