0

I would like to capture all wifi traffic from a specific device manufacturer using Wireshark/Tshark/TCPDump/etc. I want to use a CAPTURE filter, not a display filter. Basically, I want to capture all packets from the MAC address 11:22:33:xx:xx:xx and nothing else. Or, put another way, the first 3 octets or OUI of the MAC address using Berkeley Packet Filtering Syntax. Anyone have a preferred method?

Ross Jacobs
  • 2,962
  • 1
  • 17
  • 27
Rasstace
  • 47
  • 7

1 Answers1

2

Per this post, use syntax like ether[A:B] in your capture filter where

  • A = start byte location in ethernet frame, starting at 0
  • B = number of bytes, must be 1, 2, or 4

So to match 3 bytes, you have to have 2 comparisons: Match 2 bytes and 1 byte separately.

If you only want about packets coming from this OUI (per question):

tcpdump 'ether[0:2] == 0x1122 && ether[2:1] == 0x33'

If you want all packets going to/from this OUI:

tcpdump 'ether[0:2] == 0x1122 && ether[2:1] == 0x33 \
    || ether[6:2] == 0x1122 && ether[8:1] == 0x33'

The first 12 bytes (0-11) of the ethernet header consist of the destination and then source mac addresses. So to select both sets of 3 bytes 0-2 and 6-8, select 2 bytes at 0, 1 byte at 2, 2 bytes at 6 and 1 byte at 8.

You should also be able to use this with tshark as long as you preface this with the -f capture filter flag.

Ross Jacobs
  • 2,962
  • 1
  • 17
  • 27
  • Thank you for your answer. I must add though that it didn't work for me verbatim. I had to use "ether[4:2]==0x1122 && ether[6:1]==0x33 or ether[10:2]==0x1122 && ether[12:1]==0x33" did the trick. I don't ask for help often, but when I do I sure appreciate people like you that give me hints to find the way. – Rasstace May 10 '21 at 00:06
  • 1
    @Rasstace, the offsets you're using don't make any sense for the standard [Ethernet II frame](https://en.wikipedia.org/wiki/Ethernet_frame#Ethernet_II). Are you actually working with Ethernet II frames or perhaps another encapsulation? What does Wireshark/tshark tell you about the framing? Can you post the hex bytes of one of the frames or at least the output of `capinfos -E file.pcap`? I'm curious about what the actual [link layer header type](https://www.tcpdump.org/linktypes.html) is here where the offsets you supplied make sense - e.g., a `DLT_NETANALYZER` data link type perhaps? – Christopher Maynard Jun 10 '21 at 16:58