"Lentes, Bernd" <bernd.len...@helmholtz-muenchen.de> wrote:
I'd like to capture all packets which have the same MAC-address for sender and
destination.
But i don't know the MAC which is causing these messages. So i have to use an
universal filter.
I tried to use "tcpdump 'ether[8:6] = ether[14:6]'". Beginning with byte 8 is the destination MAC
and beginning with byte 14 is the source MAC.
And each MAC has the size of 6 bytes.
But i got this message: "tcpdump: data size must be 1, 2, or 4". Is there a way
to capture the desired 6 bytes ?
I think you'll have to split up in 2 checks. 1 for 4 bytes and 1 for 2 bytes.
Something like:
tcpdump -d "(ether[8:4]=ether[14:4]) && (ether[12:2]=ether[18:2])"
(000) ld [8]
(001) st M[1]
(002) ld [14]
(003) tax
(004) ld M[1]
(005) jeq x jt 6 jf 13
(006) ldh [12]
(007) st M[4]
(008) ldh [18]
(009) tax
(010) ld M[4]
(011) jeq x jt 12 jf 13
(012) ret #65535
(013) ret #0
Looks like the pseudo-asm code is correct w/o knowing what 'tax' is.
(Note; I had to use '&&' in my shell to escape the '&').
--gv
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers