--- Marco van den Bovenkamp <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > > But I�m looking to capture all packets coming from > > NICs which MAC address that start with 01:23:45 > > > > I have tried ether src[0:3]=01:23:45 or > > > ether src[0:3] 01:23:45 or ether host > > src[0:3] 01:23:45 but all returns a parse > error > > > > I�m using ethereal 0.10.0, tcpdump 3.8, libpcap > 0.8 > > > > Any ideas as to what I should use or what i'm > doing > > wrong. > > It's 'proto[start:size]', where 'size' can be 1, 2 > or 4, with a default > of 1. So to do what you want something like > 'ether[6:2] = 0x0123 and > ether[8] = 0x45' should work. > > -- > > Groeten, > > Marco. > >
Thanks Marco, works great. I would never have known to use hex since �ether 01:23:45:67:89:ab� does not use hex. How come ether[10:4]=0x01234567 does not work? It doesn�t give me a parser error but it does not capture any packets. Thanks -Mike __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html _______________________________________________ Ethereal-users mailing list [EMAIL PROTECTED] http://www.ethereal.com/mailman/listinfo/ethereal-users
