Click here to Skip to main content
15,867,756 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hello
I'm trying to capture packets on the network sent by a specific brand of devices.
I know the vendor part of their MAC address.
I managed to capture arp packets and I can also filter using full MAC address, but I can't find the proper syntax for the filter so that only the vendor ID of the MAC is used.
Any idea of the correct syntax?

What I have tried:

var devices = CaptureDeviceList.Instance;
var device = devices[5];

string filter = @"ether proto \arp and ether src host 00-00-0A-A3-61-BF";

device.Open();
device.Filter = filter;
device.OnPacketArrival += Device_OnPacketArrival;
device.StartCapture();
Posted
Updated 4-Oct-22 3:06am
Comments
0x01AA 4-Oct-22 11:04am    
Jérôme Pinard 2021 6-Oct-22 8:50am    
Well in fact, this solution work as display filter, not as cpature filter.
The best I can get with capture filter is this expression, "ether[0:4] & 0xffffff00 = 0x00000a00"
but it only capture outgoing traffic to this mac address.
I tried to write "ether[6:4] & 0xffffff00 = 0x00000a00" because I've seen that on incoming fames, the mac address of my device was at the offset 6 but without success
Jérôme Pinard 2021 6-Oct-22 9:03am    
Finally found the solution for filtering incoming trafic from a specific mac vendor : ether [6:1] =0x00 and ether [7:1] =0x00 and ether [8:1] =0x0A
0x01AA 6-Oct-22 9:35am    
Great that you found a solution.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900