[GRLUG] Wireshark & eth.addr==

Michael Mol mikemol at gmail.com
Tue Feb 22 09:24:22 EST 2011


On Tue, Feb 22, 2011 at 2:14 PM, Adam Tauno Williams
<awilliam at whitemice.org> wrote:
> I have a device with a MAC address of 00.C0.02.37.37.33
>
> I ***SEE*+* that mac address in the "Source" column when looking at
> captured traffic in Wireshark.  So I enter a filter of
> eth.addr==00.C0.02.37.37.33 or eth.addr==00:C0:02:37:37:33 ... and no
> traffic matches the criteria.  Am I having a Monday-Moment or screwing
> something up on a grander-scale?

Any reason to use the same MAC for both eth.addr lines, with the
distinction being that one of them uses '.' for a separator and one
':'?

(I'm assuming you entered it as "eth.addr==00.C0.02.37.37.33 or
eth.addr==00:C0:02:37:37:33", but you might have meant
"eth.addr==00.C0.02.37.37.33" and "eth.addr==00:C0:02:37:37:33" as two
separate tries)

I only found out about .addr last week. Previously, I was using "(.src
= a and .dst = b) or (.dst = a and .src = b)". Try falling back on
that pattern?

Finally, try clicking on the MAC address and hitting "apply as
filter...selected"?

-- 
:wq

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the grlug mailing list