Re: A broken filter...

[Hannes Gredler <hannes () juniper net>]

Dan Joumaa wrote:
> Hello,
>
> I am trying to capture all ethernet packets with the source host's first 
> 3 octets being 00, 09, and bf. It was suggested that I used this filter: 
> "ether[0] == 0x00 && ether[1] == 0x09 && ether[2] == 0xbf." When packets 
> are sent that should match, nothing comes through. When I remove the 
> filter, I'm able to receive the packets, along with every other packet.
>
> What's wrong with my filter?

perhaps the filter is alright and the data is wrong ;-) -> i.e.

an  idea that come sinto mind is that
the packets come in using 802.1Q (VLAN) encaps ...

can you provide some more information about your capturing interface ?

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.