tcpdump mailing list archives
Re: capturing packets with identical MAC for source and destination
From: "Lentes, Bernd" <bernd.lentes () helmholtz-muenchen de>
Date: Tue, 3 Sep 2013 17:49:49 +0200
Gisle wrote:
"Lentes, Bernd" <bernd.lentes () helmholtz-muenchen de> wrote:I'd like to capture all packets which have the sameMAC-address for sender and destination.But i don't know the MAC which is causing these messages.So i have to use an universal filter.I tried to use "tcpdump 'ether[8:6] = ether[14:6]'".Beginning with byte 8 is the destination MACand beginning with byte 14 is the source MAC. And each MAC has the size of 6 bytes. But i got this message: "tcpdump: data size must be 1, 2,or 4". Is there a way to capture the desired 6 bytes ? I think you'll have to split up in 2 checks. 1 for 4 bytes and 1 for 2 bytes. Something like: tcpdump -d "(ether[8:4]=ether[14:4]) && (ether[12:2]=ether[18:2])"
Hi, this seems to be smart. I will try that. Bernd Helmholtz Zentrum München Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH) Ingolstädter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir´in Bärbel Brumme-Bothe Geschäftsführer: Prof. Dr. Günther Wess Dr. Nikolaus Blum Dr. Alfons Enhsen Registergericht: Amtsgericht München HRB 6466 USt-IdNr: DE 129521671 _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- capturing packets with identical MAC for source and destination Lentes, Bernd (Sep 03)
- Re: capturing packets with identical MAC for source and destination Gisle Vanem (Sep 03)
- Re: capturing packets with identical MAC for source and destination Lentes, Bernd (Sep 03)
- Re: capturing packets with identical MAC for sourceand destination David Laight (Sep 03)
- Re: capturing packets with identical MAC for source and destination Gisle Vanem (Sep 03)