Hi folks,
I want to capture ARP Requests/Responses around a particular MAC
address (I'm looking for a rogue node intermittently impersonating
this address).
Thus, I want to filter on the ARP fields: Sender MAC Address and
Target MAC Address
A capture filter of:
arp
of course captures all ARPs
A capture filter of:
ether[12:2]==0x0806
of course captures all ARPs
But a capture filter of:
arp and (ether[22:6]==0x001e4f3d4204 or ether[32:6]==0x001e4f3d4204)
stays red ... invalid
Trying a simpler capture filter:
ether[22:6]==0x001e4f3d4204
also red
OK, so reading the documentation ...
http://www.wireshark.org/docs/man-pages/pcap-filter.html ... I see
that pcap permits a length of either 1, 2, or 4 ... no sixes (6).
"Proto is one of
ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp,
tcp, udp, icmp, ip6 or radio, and indicates the
protocol layer for the index operation. (ether, fddi,
wlan, tr, ppp, slip and link all refer to the
link layer. radio refers to the "radio
header" added to some 802.11 captures.) Note that
tcp, udp and other upper-layer protocol types only
apply to IPv4, not IPv6 (this will be fixed in the future).
The byte offset, relative to the indicated protocol layer,
is given by expr. Size is optional and
indicates the number of bytes in the field of interest; it
can be either one, two, or four, and defaults to one. The
length operator, indicated by the keyword len, gives
the length of the packet."
Bummer. I've poked through the changelog for the latest libpcap; I
don't see any mention of increasing the offset field:
http://www.tcpdump.org/libpcap-changes.txt
Can anyone think of a creative way to do the same thing? I'm going
with the following for now:
arp and (ether[22:4]==0x001e4f3d or ether[32:4]==0x001e4f3d)
But obviously it is a bit broader than I really want.
?
--sk
Stuart Kendrick
FHCRC
|
