Using the Wireshark "Filter" field in the Wireshark GUI, I would like to filter capture results so that only multicast packets are shown.
I've seen this post but that doesn't work for the GUI filter field. This Wireshark page shows how to filter out multicast, but not how to filter everything but multicast.
Does anyone know of a simple statement that will do this?
Thank you in advance!
Just use this (eth.dst[0] & 1) . Multicast traffic is recognized by the least significant bit of the most significant byte of the MAC address. If 1, multicast, if 0, not.
(eth.dst[0]&1)
will filter both multicast and broadcast. So, from this exclude broadcast. It will be like
(eth.dst[0]&1) && !eth.dst==ff:ff:ff:ff:ff:ff
With Wireshark (2.2.6 version for Linux) is possible to choose the filter "eth.ig == 1"
It refer to "IG bit" that is present in the Ethernet Frame.
The IG bit distinguishes whether the MAC address is an individual or group (hence IG) address. In other words, an IG bit of 0 indicates that this is a unicast MAC address, an IG bit of 1 indicates a multicast or broadcast address.
I came across this solution by a process of trial and error.
Since a multicast address begins "1110" (128+64+32+0 = 224), a packet sent to a an IP address beginning 1110 is destined for a multicast address. Therefor, a packet matching the mask 224.0.0.0/4 is destined for a multicast address.
This display filter should therefor filter packets to multicast addresses only:
ip.dst==224.0.0.0/4
Have you tried just using multicast as your filter? Because if not multicast filters out all multicast packets and lets through everything else as the page you linked seems to state, then that's only logical.
来源:https://stackoverflow.com/questions/11400046/wireshark-filter-by-multicast-in-gui