Hannes Gredler wrote:
Dan Joumaa wrote:
Hello,
I am trying to capture all ethernet packets with the source host's
first 3 octets being 00, 09, and bf. It was suggested that I used
this filter: "ether[0] == 0x00 && ether[1] == 0x09 && ether[2] ==
0xbf." When packets are sent that should match, nothing comes
through. When I remove the filter, I'm able to receive the packets,
along with every other packet.
What's wrong with my filter?
perhaps the filter is alright and the data is wrong ;-) -> i.e.
an idea that come sinto mind is that
the packets come in using 802.1Q (VLAN) encaps ...
can you provide some more information about your capturing interface ?
/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
hey again,
I'm trying to capture data off a switched network. Specifically, I'm
trying to get ARP packets. I've done this before, but this doesn't work.
My init code looks perfectly fine:
char *dev;
char errbuf[PCAP_ERRBUF_SIZE+1];
bpf_u_int32 mask;
char filter[] = "ether[6] = 0x00 && ether[7] = 0x09 && ether[8] = 0xbf";
struct bpf_program fp;
...get net mask and dev...
if( (pcap = pcap_open_live( dev, BUFSIZ, 1, 0, errbuf )) == NULL ) {
(void)fprintf( stderr, "Failed to open a pcap session because
%s.\n",
errbuf );
(void)free( dev );
return (false);
}
(void)free( dev );
(void)setuid( getuid( ) ); // give the user back ownership
if( pcap_compile( pcap, &fp, filter, 0, mask ) < 0 ) {
(void)fprintf( stderr, "Failed to compile the filter.\n" );
(void)pcap_close( pcap );
return (false);
}
if( pcap_setfilter( pcap, &fp ) < 0 ) {
(void)fprintf( stderr, "Failed to activate the filter because
%s.\n",
errbuf );
(void)pcap_close( pcap );
return (false);
}
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
