![]() To capture packets where either the source or destination MAC address starts with 00:0C:22: But if you know where in the MAC address field those three bytes will be, you can use a byte-offset capture filter. You probably can't create a capture filter for MAC addresses containing 00:0C:22 anywhere in the MAC address fields. ( pcap-filter.You said, "I want to capture all traffic from devices with MAC address containing 00:0C:22." If libpcap supported frame protocol to look at byte level then a lower level filter for the src and dst addresses could be created but it doesn't so you can't. See the User's Guide for a description of the capture filter syntax. That string isn't a valid capture filter (ethernet addresses supported only on ethernet/FDDI/toke ![]() The check of for #0x8864 is looking for pppoes in the Ethernet Type bytes.Īfter the pppoes it is no longer considered Ethernet 0x0800 so the second ether src fails. To look at inside of a capture filter, use dumpcap -d to dump the byte code for the filter: ~$ dumpcap.exe -i 5 -d -f "( ether dst 00:00:00:00:00:01 and pppoes and ip&0x0f=0x01 )" ![]() What's needed is support for pppoes src and pppoes dst or some other work around. This is worthy of an issue on the libpcap Github issues.Īfter the first pppoes, the packet is no longer considered to be Ethernet (type 0x0800) so the second ether is not valid. This can be done in 1 of 2 ways, the first being a bit easier because now we can use the pppoes keyword: dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether = 0x8864 and ether = 0x0021 and ether & 0x0f = 0x01. Now all that's needed is to or the two expressions together. Here is such a filter that accomplishes that, with BFP included for comparison: dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and ether = 0x8864 and ether = 0x0021 and ether & 0x0f = 0x01" ![]() To reproduce this same BPF without using the pppoes keyword then, we simply need to manually specify all the offsets. That breakdown and analysis is left as an exercise for the reader.) (The breakdown of the other expression is quite similar, except for the changes to the offsets for comparing the Ethernet source address and the lower nibble of the last octet of the IPv4 source address. Fourth, it's checking that the lower nibble of the last octet of the destination IP address is 1.Third, it's checking that the PPP Protocol ID is IPv4.Second, it's checking that the Ethertype is 0x8864, which is the IANA-assigned Ethertype for "PPP over Ethernet (PPPoE) Session Stage".It's doing this in 2 parts: (1) the last 4 bytes is 00:00:00:01 and (2) the first 2 bytes are 00:00. First, it's checking that the Ethernet destination address is 00:00:00:00:00:01.First, what does the BPF look like if we do use pppoes? Well, it looks like this: dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and pppoes and ip&0x0f=0x01" What we need to be able to do is to construct the equivalent BPF without using pppoes. The work-around (and as far as I'm aware the only way to handle this) is to avoid using pppoes, at least in the first expression.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |