Menu
I am running tcpdump on DD-WRT routers in order to capture uplink data from mobile phones. I would like to listen only to some mac addresses. To do this I tried to run the command using a syntax similar to Wireshark:
tcpdump -i prism0 ether src[0:3] 5c:95:ae -s0 -w | nc 192.168.1.147 31337
so that I can listen to all the devices that have as initial mac address 5c:95:ae.
The problem is that the syntax is wrong and I was wondering if anyone of you knows the right syntax to get what I want.
613
To filter on TCP and UDP ports, use the port directive. This captures both TCP and UDP traffic using the specified port either as a source or destination port. It can be combined with tcp or udp to specify the protocol, and src or dst to specify a source or destination port.
tcpdump Filter Packets – Capture all the packets other than arp and rarp.
With man pcap-filter I found this solution:
tcpdump "ether[6:2] == 0x5c95 and ether[8:1] == 0xae"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
