Gisle wrote: > > "Lentes, Bernd" <bernd.len...@helmholtz-muenchen.de> wrote: > > > I'd like to capture all packets which have the same > MAC-address for sender and destination. > > But i don't know the MAC which is causing these messages. > So i have to use an universal filter. > > I tried to use "tcpdump 'ether[8:6] = ether[14:6]'". > Beginning with byte 8 is the destination MAC > > and beginning with byte 14 is the source MAC. > > And each MAC has the size of 6 bytes. > > But i got this message: "tcpdump: data size must be 1, 2, > or 4". Is there a way to capture the desired 6 bytes ? > > I think you'll have to split up in 2 checks. 1 for 4 bytes > and 1 for 2 bytes. > Something like: > tcpdump -d "(ether[8:4]=ether[14:4]) && (ether[12:2]=ether[18:2])" >
Hi, this seems to be smart. I will try that. Bernd Helmholtz Zentrum München Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH) Ingolstädter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir´in Bärbel Brumme-Bothe Geschäftsführer: Prof. Dr. Günther Wess Dr. Nikolaus Blum Dr. Alfons Enhsen Registergericht: Amtsgericht München HRB 6466 USt-IdNr: DE 129521671 _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
