18

I am running tcpdump on DD-WRT routers in order to capture uplink data from mobile phones. I would like to listen only to some mac addresses. To do this I tried to run the command using a syntax similar to Wireshark:

tcpdump -i prism0 ether src[0:3] 5c:95:ae -s0 -w | nc 192.168.1.147 31337

so that I can listen to all the devices that have as initial mac address 5c:95:ae.

The problem is that the syntax is wrong and I was wondering if anyone of you knows the right syntax to get what I want.

RzR
  • 3,068
  • 29
  • 26
Giovanni Soldi
  • 385
  • 1
  • 4
  • 12

1 Answers1

13

With man pcap-filter I found this solution:

tcpdump "ether[6:2] == 0x5c95 and ether[8:1] == 0xae"
graphite
  • 2,920
  • 22
  • 40
  • Hi! Thanks a lot for the answer. I found as well this way. The problem is that I need to specify the flag src after ether but if i add it then I still get syntax error. – Giovanni Soldi Oct 26 '12 at 14:20
  • Why do you need this flag so much? – graphite Oct 26 '12 at 14:31
  • 2
    Why do you need to specify `src` after `ether`? The `ether` in `ether src XX:XX:XX:XX:XX:XX` means "this is an Ethernet address", so to look only at the source address you need to specify "src", but the `ether` in `ether[6:2]` says "this is part of the Ethernet header", and bytes 6 and 7 of the Ethernet header are the first two bytes of the source address and byte 8 is the third byte of the source address, so the `6:2` and `8:1` specify that you're testing the source address. graphite's filter is exactly what you need and want. –  Oct 26 '12 at 19:33
  • Okay! I will try then! Thanks a lot for the help! I'll write here again if I have any problems! – Giovanni Soldi Oct 28 '12 at 09:25
  • Hi! I am not sure why but this didn't work. Basically, I run the command using the entire mac address (tcpdump -i prism0 ether src 5c:95:ae:x8:6c:3a -s0 -w | nc 192.168.1.147 31337) and tcpdump captured the packets sent from my phone. While, if I use graphite's filter (tcpdump -i prism0 "ether[6:2] == 0x5c95 and ether[8:1] == 0xae" -s0 -w | nc 192.168.1.147 31337) it doesn't capture any packets. Shouldn't i get more packets with graphite's filter? Thanks again for the help! – Giovanni Soldi Oct 30 '12 at 14:33
  • Does it work if you type exactly my command? Without `-s0 -w | nc 192.168.1.147 31337`. It does for me. – graphite Oct 30 '12 at 15:11
  • The first time I tried without `-s0 -w | nc 192.168.1.147 31337` but still didn't get any data. I'll test it again and confirm to you. Thanks a lot! – Giovanni Soldi Oct 31 '12 at 08:56