Wireshark Filters for Ethernet Multicast and Broadcast

Networking

20 June 2011 1 Comment

Wireshark Filters for Ethernet Multicast and Broadcast

On the Ethernet level, multicast traffic (and broadcast, which is just a special case of multicast) can be recognized by the least significant bit of the most significant byte of the MAC address. If this bit is set to 1, then the Ethernet frame is multicast traffic, otherwise it is unicast.

Display Filter for Excluding Broadcast/Multicast Traffic

!(eth.dst[0] & 1)

A display filter is used for packet filtering while viewing captured traffic.

Capture Filter for Excluding Broadcast/Multicast Traffic

not broadcast and not multicast

Wireshark capture filters are specified before capturing commences, and use the same syntax as tcpdump, WinDump, Analyzer, and any other program that uses the libpcap/WinPcap library. Capture filters can exclude traffic from being captured at all.

Tags: broadcast, display filter, eth.dst, multicast, wireshark

One Response to “Wireshark Filters for Ethernet Multicast and Broadcast”

George 16 March 2013 at 4:00 am #

How about one FOR broadcast and multicast only

Reply

Tech Juice

Programming, Networking, Reversing and More