lee wrote:
>
> I have been contracted to set up RH6.2 and Ethereal for a company.
> There MIS guy wants to be able to filter by MAC address, so far I have
> found Ngrep but haven't set it up. Was wondering if you people had any
> clue as to how I would set up packet filtering. Ps. I am a newbie who
> somehow bullshited my way into a consulting job and now I fear that I am
> over my head. Any info would be much appreciated. Thanks for your
> time, Lee
;-) Well, no time like the present to learn something new.
Ethereal filter syntax matches that of tcpdump. I don't recall
all of the options every time I go to use Ethereal, so I always
check the tcpdump man page, then test the filter syntax with
tcpdump first. For example,
# tcpdump ether host 00:A0:CC:63:DE:EE
will capture all packets on eth0 to and from the host with a MAC address
of 00:A0:CC:63:DE:EE on one of its interface cards. Of course, that
address
needs to have local connectivity to whatever is attached to eth0. You
could also use tethereal to do this test.
Once I know that it works with tcpdump, I then invoke Ethereal and
specify the working filter...this can be done in a number of ways, so
check the Ethereal docs. The reason I test before I invoke Ethereal is
because once you make a syntax error in specifying a filter w/ Ethereal,
it will always report a syntax error thereafter until you kill and
restart
Ethereal. This bug existed through v8.9 and I don't know if its
fixed in 8.10.
Anyway, there are all sorts of things you can do with Ethereal in terms
of packet capture and filtering. It's very robust and flexible. Play
around and have fun!
Hope this helps.
Scott
