When talking about Ethernet filters, we refer to Layer-2 filters that are MAC address-based filters. In this recipe we will refer to these filters and what we can do with them.
The basic Layer 2 filters are:
ether host <Ethernet host>
: To get the Ethernet addressether dst <Ethernet host>
: To get the Ethernet destination addressether src <Ethernet host>
: To get the Ethernet source addressether broadcast
: To capture all Ethernet broadcast packetsether multicast
: To capture all Ethernet multicast packetsether proto <protocol>
: To filter only the protocol type indicated in the protocol identifier vlan <vlan_id>
: To pass only packets from a specific VLAN that is indicated in the identifier fieldFor negating a filter rule, simply type the word not
or !
in front of the primitive. For example:
Not ether host <Ethernet host>
or ! Ether host <Ethernet host>
will capture packets that are not from/to the Ethernet address specified in the identifier field.
Let's look at the following diagram, in which we have a server, PCs, and a router, connected to a LAN switch. Wireshark is running on the laptop connected to the LAN switch, with port mirror to the entire switch (to VLAN1).
The /24
notation in the drawing refers to a subnet mask of 24 bits, that is, 11111111.11111111.11111111.00000000 in binary or 255.255.255.0 in decimal.
Follow the instructions in the Configuring capture filters recipe, and configure filters as follows:
ether host 00:24:d6:ab:98:b6
.ether dst 00:24:d6:ab:98:b6
.ether src 00:24:d6:ab:98:b6
.ether broadcast
or ether dst ff:ff:ff:ff:ff:ff
.ether multicast
.ether proto 0800
.The way capture filters work with source host and destination host is simple—the capture engine simply compares the condition with the actual MAC addresses, and passes only what is relevant.
A broadcast address is an address in which the destination address is all 1's, that is, ff:ff:ff:ff:ff:ff:ff
, therefore when you configure a broadcast filter, only these addresses will pass the filter. Broadcast addresses can be:
In a multicast filter, there are IPv4 and IPv6 multicasts:
01:00:5e
. Every packet with a MAC address that starts with this string will be considered a multicast.33:33
. Every packet with a MAC address that starts with this string will be considered a multicast.Ethernet protocol refers to the ETHER-TYPE field in the Ethernet packet that indicates what will be the upper Layer protocol. Common values here are 0800
for IPv4, 86dd
for IPv6, and 0806
for ARP.
vlan <vlan number>
vlan <vlan number> and vlan <vlan number> and vlan <vlan number>
…There are around a hundred ETHER-TYPE codes, most of them not in use. You can refer to http://www.mit.edu/~map/Ethernet/Ethernet.txt for additional codes, or simply browse the Internet for Ethernet code.
18.218.45.80