When talking about Ethernet filters, we refer to Layer-2 filters that are MAC address-based filters. In this recipe we will refer to these filters and what we can do with them.
The basic Layer 2 filters are:
ether host <Ethernet host>: To get the Ethernet addressether dst <Ethernet host>: To get the Ethernet destination addressether src <Ethernet host>: To get the Ethernet source addressether broadcast: To capture all Ethernet broadcast packetsether multicast: To capture all Ethernet multicast packetsether proto <protocol>: To filter only the protocol type indicated in the protocol identifiervlan <vlan_id>: To pass only packets from a specific VLAN that is indicated in the identifier field
For negating a filter rule, simply type the word not or ! in front of the primitive. For example:
Not ether host <Ethernet host> or ! Ether host <Ethernet host> will capture packets that are not from/to the Ethernet address specified in the identifier field.
Let's look at the following diagram, in which we have a server, PCs, and a router, connected to a LAN switch. Wireshark is running on the laptop connected to the LAN switch, with port mirror to the entire switch (to VLAN1).
The /24 notation in the drawing refers to a subnet mask of 24 bits, that is, 11111111.11111111.11111111.00000000 in binary or 255.255.255.0 in decimal.
Follow the instructions in the Configuring capture filters recipe, and configure filters as follows:
- To capture packets only from/to a specific MAC address, for example of PC3 in the preceding image, configure
ether host 00:24:d6:ab:98:b6. - To capture packets going to a destination MAC address, for example of PC3 in the preceding image, configure
ether dst 00:24:d6:ab:98:b6. - To capture packets coming from a source MAC address, for example of PC3 in the preceding image, configure
ether src 00:24:d6:ab:98:b6. - To capture broadcast packets, configure
ether broadcastorether dst ff:ff:ff:ff:ff:ff. - To capture multicast packets, configure
ether multicast. - To capture a specific Ether Type (number in Hexadecimal value), configure
ether proto 0800.
The way capture filters work with source host and destination host is simple—the capture engine simply compares the condition with the actual MAC addresses, and passes only what is relevant.
A broadcast address is an address in which the destination address is all 1's, that is, ff:ff:ff:ff:ff:ff:ff, therefore when you configure a broadcast filter, only these addresses will pass the filter. Broadcast addresses can be:
- L3 IPv4 broadcast that is converted to L2 broadcast; for example, IP packet to 10.0.0.255 (class C subnet, as in the previous illustration), which will be converted to L2 broadcast in the destination MAC field.
- A network-related broadcast; for example, IPv4 ARP (Address Resolution Protocol) that sends a broadcast as a part of network operation.
In a multicast filter, there are IPv4 and IPv6 multicasts:
- In IPv4, a multicast MAC address is transmitted when the MAC address starts with the string
01:00:5e. Every packet with a MAC address that starts with this string will be considered a multicast. - In IPv6, a multicast address is transmitted when the MAC address starts with the string
33:33. Every packet with a MAC address that starts with this string will be considered a multicast.
Ethernet protocol refers to the ETHER-TYPE field in the Ethernet packet that indicates what will be the upper Layer protocol. Common values here are 0800 for IPv4, 86dd for IPv6, and 0806 for ARP.
- To configure filter for a specific VLAN, use
vlan <vlan number> - To configure filter on several VLANs, use
vlan <vlan number> and vlan <vlan number> and vlan <vlan number>…
There are around a hundred ETHER-TYPE codes, most of them not in use. You can refer to http://www.mit.edu/~map/Ethernet/Ethernet.txt for additional codes, or simply browse the Internet for Ethernet code.