[tcpdump-workers] Any way to filter ether address when type is LINUX_SLL?
--- Begin Message --- Hi all, I get a pcap flow from my router box (Peplink). The only thing I can change is the dev "interface" from a web page. If one is chosen, I've got a EN10MB type and I can filter my incoming flow with "tcpdump -r - -w - ether host 01:23:45:67:89:01". If I choose "All", I suppose "-i any" is added and then I get a LINUX_SLL type on which my command leads to "tcpdump: ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel". Is there any way to filter the LINUX_SLL flow to keep only traffic from specific MAC address from tcpdump ? I mean before wireshark. Regards, Édouard --- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Any way to filter ether address when type is LINUX_SLL?
--- Begin Message --- And is there any way to filter by link-type? In fact, I need only those LINUX_SLL. Regards, Le 29/12/2020 à 22:39, Michael Richardson a écrit : Edouard Gaulué via tcpdump-workers wrote: > I get a pcap flow from my router box (Peplink). The only thing I can change > is the dev "interface" from a web page. If one is chosen, I've got a EN10MB > type and I can filter my incoming flow with "tcpdump -r - > -w - ether host 01:23:45:67:89:01". If I choose "All", I suppose "-i > any" is added and then I get a LINUX_SLL type on which my command leads to > "tcpdump: ethernet addresses supported only on ethernet/FDDI/token > ring/802.11/ATM LANE/Fibre Channel". Sorry, the LINUX_SLL has a fake header, and no *real* L2 header at all. In theory, the pcap compiler could learn to filter on that LL address that is included, but it's not that smart. > Is there any way to filter the LINUX_SLL flow to keep only traffic from > specific MAC address from tcpdump ? I mean before wireshark. If you know what ethernet address you want, can't you just specify the interface? If you are trying to dump on the "outside" of your router (after the NAPT), then it will always be the L2 of the router anyway. The only place you'll see the device's actual L2 address is on the network where it is plugged in. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ --- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Any way to filter ether address when type is LINUX_SLL?
--- Begin Message --- For posterity, I did: ncat -l 12345 | tshark -r - -w - sll > w where w is named pipe. Instead of: ncat -l 12345 | tcpdump -r - -w - [pcap_filter] > w Your answer leads me to this solution, I needed an upper-level tool. Regards, Le 19/01/2021 à 15:45, Michael Richardson a écrit : Edouard Gaulué wrote: > And is there any way to filter by link-type? In fact, I need only those > LINUX_SLL. pcap format can only contain a single link-type, so that's a no-op. pcapng could contain multiple link-types, but tcpdump doesn't write that. While wireshark can write pcapng, I don't think it writes multiple link types to a single file, but of course, you could have concatenated multiple pcapng files. I'm not sure what tcpdump would do if it sees that :-) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ --- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
