Wireshark-users: Re: [Wireshark-users] Capture filter for ethernet range
From: Jack Jackson <jack@xxxxxxxxxxxxxxx>
Date: Tue, 07 Nov 2006 15:49:26 -0800
At 03:26 PM 11/7/2006, Andrew Schweitzer wrote:
I have an enthernet range I want to sniff (00:80:44:00:00:00 -
00:80:44:ff:ff:ff).

The following filter is legal, and sort of looks right, but only seems
to capture packets where the packet's ethernet *destination* is the
specified range.

(ether[0:4]>=0x00804400 and ether[0:4]<=0x008044ff)

Any ideas?

Sure. It only captures destination packets because you are only checking the destination address. You need to also check for the source address. Assuming you want packets whose source or destination address is in the range:

(ether[0:4]>=0x00804400 and ether[0:4]<=0x008044ff) or
(ether[6:4]>=0x00804400 and ether[6:4]<=0x008044ff)