How to filter MAC addresses using tcpdump?

wireshark ethernet pcap tcpdump packet-capture
Giovanni Soldi picture Giovanni Soldi · Oct 26, 2012 · Viewed 68.9k times · Source

I am running tcpdump on DD-WRT routers in order to capture uplink data from mobile phones. I would like to listen only to some mac addresses. To do this I tried to run the command using a syntax similar to Wireshark:

tcpdump -i prism0 ether src[0:3] 5c:95:ae -s0 -w | nc 192.168.1.147 31337

so that I can listen to all the devices that have as initial mac address 5c:95:ae.

The problem is that the syntax is wrong and I was wondering if anyone of you knows the right syntax to get what I want.

Answer

graphite picture graphite · Oct 26, 2012

With man pcap-filter I found this solution:

tcpdump "ether[6:2] == 0x5c95 and ether[8:1] == 0xae"

Related questions

What are the 0 bytes at the end of an Ethernet frame in Wireshark?

after ARP protocol in a frame, there are many 0 bytes. Does anyone know the reason for the existence of these 0 bytes?

Read More
How to filter by IP address in Wireshark?

I tried dst==192.168.1.101 but only get : Neither "dst" nor "192.168.1.101" are field or protocol names. The following display filter isn't a valid display filter: dst==192.168.1.101

Read More
Capturing mobile phone traffic on Wireshark

How can I capture mobile phone traffic on Wireshark?

Read More