Re: filter huge pcap file based on multiple mac address

[<Tim.Poth () bentley com>]

You can filter in wireshark using eth.addr
EG
Eth.addr eq 64:31:50:44:48:22 or Eth.addr eq 64:31:50:44:48:55

If you wanted to spit the file at the command prompt you could use tshark
EG
tshark -r infile.pcapng -w outfile.pcapng -R "eth.addr eq 64:31:50:44:48:22 or eth.addr eq 64:31:50:44:48:55"

You can also invert these filter by adding a ! and the beginning
EG
!Eth.addr eq 64:31:50:44:48:22

This will give you all frames that do not have a MAC address of 64:31:50:44:48:22

Hope that helps
tim

From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Abbhishek 
Misra
Sent: Thursday, November 29, 2012 11:24 PM
To: Community support list for Wireshark
Subject: [Wireshark-users] filter huge pcap file based on multiple mac address

Hello All,

I have a large pcap file with lots of unwanted wireless packets.

I wish to filter/split it based on 2 mac address.
Please let me know how to do that.

bye

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe