tcpdump mailing list archives

Re: Any way to filter ether address when type is LINUX_SLL?

From: Edouard Gaulué via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Tue, 19 Jan 2021 13:22:39 +0100

--- Begin Message --- From: Edouard Gaulué <listes () e-gaulue com>
Date: Tue, 19 Jan 2021 13:22:39 +0100
And is there any way to filter by link-type? In fact, I need only thoseLINUX_SLL.


Regards,

Le 29/12/2020 à 22:39, Michael Richardson a écrit :

Edouard Gaulué via tcpdump-workers wrote:
     > I get a pcap flow from my router box (Peplink). The only thing I can change
     > is the dev "interface" from a web page. If one is chosen, I've got a EN10MB
     > type and I can filter my incoming flow with "tcpdump -r -
     > -w - ether host 01:23:45:67:89:01". If I choose "All", I suppose "-i
     > any" is added and then I get a LINUX_SLL type on which my command leads to
     > "tcpdump: ethernet addresses supported only on ethernet/FDDI/token
     > ring/802.11/ATM LANE/Fibre Channel".

Sorry, the LINUX_SLL has a fake header, and no *real* L2 header at all.
In theory, the pcap compiler could learn to filter on that LL address that is
included, but it's not that smart.

     > Is there any way to filter the LINUX_SLL flow to keep only traffic from
     > specific MAC address from tcpdump ? I mean before wireshark.

If you know what ethernet address you want, can't you just specify the
interface?
If you are trying to dump on the "outside" of your router (after the NAPT),
then it will always be the L2 of the router anyway.   The only place you'll
see the device's actual L2 address is on the network where it is plugged in.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [

--- End Message ---

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Re: Any way to filter ether address when type is LINUX_SLL? Edouard Gaulué via tcpdump-workers (Jan 19)
- <Possible follow-ups>
- Re: Any way to filter ether address when type is LINUX_SLL? Edouard Gaulué via tcpdump-workers (Jan 19)
  - Re: Any way to filter ether address when type is LINUX_SLL? Bill Fenner via tcpdump-workers (Jan 21)
    - Re: Any way to filter ether address when type is LINUX_SLL? Michael Richardson via tcpdump-workers (Jan 21)
    - Re: Any way to filter ether address when type is LINUX_SLL? Guy Harris via tcpdump-workers (Jan 22)
    - Re: Any way to filter ether address when type is LINUX_SLL? Michael Richardson via tcpdump-workers (Jan 23)