1

I'm trying to filter traffic by src ether host to see all devices with a specific MAC prefix. If this were like IP, it might filter with src ether host aa:bb:cc:00:00:00/24 to see OUI's matching aa:bb:cc...but it doesn't like that.

Is there a way to match by MAC prefix or mask?

In case it matters:

This is for Wi-Fi, so technically it's an SA address that you can see if you scroll to the right (tcpdump puts that in the src ether host field).

13:12:48.139316 1.0 Mb/s 2412 MHz 11b -41dBm signal -41dBm signal antenna 0 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:aa:bb:cc:84:05:7c Probe Request (emporia) [5.5* 11.0* 1.0* 2.0* 6.0 12.0 24.0 48.0 Mbit]
Improve this question
1
  • Maybe this gets you started: tcpdump "ether[6:2] == 0xabcd and ether[8:1] == 0xef. I didn't figure out how to get only packets originating from that host, tho. Source: StackOverflow Commented Feb 6, 2023 at 21:48

1 Answer 1

Reset to default
2

The names (host, src host, ether, ether src,...) are basically shortcuts to specific bytes in the corresponding tcp od ip packets. There are no wildcards allowed in tcpdump-filters, so one has to dig deeper into the tcp-packets themselves. The ethernet src-address is in the 6 bytes starting at ether[6], the ethernet dest-address is in the 6 bytes starting at ether[0].

So if one wants to filter for three bytes of the src-address, one has to filter for the bytes 6,7 and 8. Since one can't filter for tree bytes ("tcpdump: data size must be 1, 2, or 4") the filter has to be broken into two parts. bytes 6 and 7: ether[6:2], byte 8: ether[8:1]

Which means, the filter would look like: ether[6:2]==0xaabb and ether[8:1]==0xcc

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.