Menu
Using the Wireshark "Filter" field in the Wireshark GUI, I would like to filter capture results so that only multicast packets are shown.
I've seen this post but that doesn't work for the GUI filter field. This Wireshark page shows how to filter out multicast, but not how to filter everything but multicast.
Does anyone know of a simple statement that will do this?
Thank you in advance!
289
Observe the traffic captured in the top Wireshark packet list pane. To view only IPv4 multicast traffic, type ip. addr >= 224.0. 0.0 (lower case) in the Filter box and press Enter.
Multicast allows a single network packet to be delivered to a group of receivers. Any Ethernet, or other 802. x, address with a high-order bit set to 1 (that is, if its first octet is odd) is multicast, except for the Broadcast address (which is all ones).
To only display packets containing a particular protocol, type the protocol name in the display filter toolbar of the Wireshark window and press enter to apply the filter. Figure 6.8, “Filtering on the TCP protocol” shows an example of what happens when you type tcp in the display filter toolbar.
Just use this (eth.dst[0] & 1) . Multicast traffic is recognized by the least significant bit of the most significant byte of the MAC address. If 1, multicast, if 0, not.
60
(eth.dst[0]&1)
will filter both multicast and broadcast. So, from this exclude broadcast. It will be like
(eth.dst[0]&1) && !eth.dst==ff:ff:ff:ff:ff:ff
With Wireshark (2.2.6 version for Linux) is possible to choose the filter "eth.ig == 1"
It refer to "IG bit" that is present in the Ethernet Frame.
The IG bit distinguishes whether the MAC address is an individual or group (hence IG) address. In other words, an IG bit of 0 indicates that this is a unicast MAC address, an IG bit of 1 indicates a multicast or broadcast address.
4
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
