![wireshark mac address only wireshark mac address only](https://itexamanswers.net/wp-content/uploads/2020/10/Explore-DNS-Query-Traffic1.jpg)
This will tell Wireshark to only display TCP connections destined for. (I'm assuming the traffic you are looking for is traveling to a destination on another switch, outside the network, or at least to your gateway).īy specifying the MAC address filter, eth.addr eq xx:xx:xx:xx:xx:xx you are filtering for all traffic to and from that associated MAC address. You may notice is that the first portion of a MAC address may be replaced by the. If you are trying to trace MAC's on the switch you are also connected to, then you'll want to sniff from a port which is spanned/mirrored to the port which has inbound/outbound traffic of that switch, so that you will see all the traffic coming in and out of the switch. For instance, tshark -i 1 -R "eth.addr eq xx:xx:xx:xx:xx:xx or eth.addr eq xx:xx:xx:xx:xx:xx" And when i starts to write ether it doesnt come up white anything i can use. To filter by IP address, type ip.addr xx.xx.xx.xx. You can use a list for your MAC's in one display filter, but not a range, unless you switch to IP's instead of MAC's. I want to filter it so it only displays packets from the host Mac-address. Filter the log using the unauthorized IP or MAC address to only view entries for the offending connection. about 24 hours after these changes issue has not crept back up. If you are using a display filter of eth.addr = xx:xx:xx:xx:xx:xx and you are not seeing any information being displayed/sniffed, then the traffic for that MAC address is not passing through the port you're sniffing on. EDIT: per u/treemeizer request (TY g) i ran a wireshark capture on the DHCP server, limiting to DHCP ports only, found abunch of sucessive DHCP requests and deinies, i added a DENY filter in on DHCP of the MAC i found out and it appears to have subsided.