Wildcard not working in eth.addr

wildcard
eth.addr
filter
retag add tags

I'm trying to look for a potential duplicate MAC Address. I've read that the . or * is suppose to be the wildcard, but the filter isn't accepting that.

I've tried

eth.addr == 00:04:f2:ae:55:33
eth.addr == 00:04:f2:**:**:**
eth.addr == 00:04:f2:*
eth.addr == 00:04:f2:.
eth.addr == 00:04:f2:..:..:..
eth.addr == 00:04:f2:.:.:.

The filter just remains red and won't accept the filter.

muwaha

asked 2023-07-06 19:19:54 +0000

23.8k

grahamb

updated 2023-07-07 08:30:41 +0000

edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

Sort by

oldest

newest

most voted

WSUG 6.4.4. Slice Operator:

eth.addr[0:3] == 00:04:f2

Chuckc

answered 2023-07-06 20:28:28 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

I'm trying to look for a potential duplicate MAC Address.

You might want to use tshark along with other CLI tools to help with this? For example:

tshark -r file.pcapng -Y "eth.addr[0:3] == 00:04:f2" -T fields -e eth.src -e ip.src > eth_addr.txt
tshark -r file.pcapng -Y "eth.addr[0:3] == 00:04:f2" -T fields -e eth.dst -e ip.dst >> eth_addr.txt
sort eth_addr.txt | uniq -c

11.1k

cmaynard

answered 2023-07-08 15:22:36 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Wildcard not working in eth.addr edit

Comments

2 Answers

Comments

Comments