Networking
20 June 2011 2 Comments

Wireshark Filters for Ethernet Multicast and Broadcast

On the Ethernet level, multicast traffic (and broadcast, which is just a special case of multicast) can be recognized by the least significant bit of the most significant byte of the MAC address. If this bit is set to 1, then the Ethernet frame is multicast traffic, otherwise it is unicast.

Display Filter for Excluding Broadcast/Multicast Traffic

!(eth.dst[0] & 1)

A display filter is used for packet filtering while viewing captured traffic.

Capture Filter for Excluding Broadcast/Multicast Traffic

not broadcast and not multicast

Wireshark capture filters are specified before capturing commences, and use the same syntax as tcpdump, WinDump, Analyzer, and any other program that uses the libpcap/WinPcap library. Capture filters can exclude traffic from being captured at all.

Tags: , , , ,

2 Responses to “Wireshark Filters for Ethernet Multicast and Broadcast”

  1. George 16 March 2013 at 4:00 am #

    How about one FOR broadcast and multicast only

    Reply
  2. BT 4 April 2013 at 7:46 pm #

    George,
    try removing the bang !; also keep the parenthesis optional at that point.

    _BT

    Reply

Leave a Reply

You can use: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">

Examples:
<code>This is some inline code<
<pre lang"text">Block of code or text (not syntax highlighted)</pre>
<pre lang"python">Block of Python code (syntax highlighted)</pre>