Project

General

Profile

Actions

Feature #6743

closed

Packet Capture - Filter MAC

Added by Clinton Cory about 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Diagnostics
Target version:
Start date:
08/25/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Under Diagnostics -> Packet Capture, there is no option to filter by partial or full MAC address. This should be fairly simple to add since the capture file includes link-layer headers already.

To add this functionality I believe the following changes need to occur in /usr/local/www/diag_packet_capture.php

1) Add logic to existing $host sanity and parsing functions to account for MAC address in one of the following formats (lower-case or upper-case, hexadecimal) when entered in the host field:
XX:XX:XX:XX:XX:XX
XXXX.XXXX.XXXX
XXXXXXXXXXXX

If a MAC is used as the host then determine if the MAC entered is a complete or partial MAC.
If a partial MAC is used then it must be the first byte (two hexadecimal values), first two bytes (four hexadecimal values), or first four bytes (six hexadecimal values)

3) If a MAC is detected as the host automatically include the -e flag regardless of the Detail value selected ($detail_args).

4) If a complete MAC is provided then append ether host {$mac} when reading the capture file...IE:
system("/usr/sbin/tcpdump {$disabledns} {$detail_args} {$iscarp} -r {$fp}{$fn} ether host {$mac}");

5) If a partial MAC is provided then append one of the following enclosed in quotes (M = Hexidecimal value):
First two of MAC address -> "ether[0:1] 0xMM or ether[6:1] 0xMM"
First four of MAC address -> "ether[0:2] 0xMMMM or ether[6:2] 0xMMMM"
First six of MAC address -> "ether[0:4] 0xMMMMMM or ether[6:4] 0xMMMMM"

I'd recommend using a variable to define the ether parameter that is appended to tcpdump when reading the capture. So for example..(not accurate syntax but you get the point):
IF mac THEN
$ether = "ether host $mac"
ELIF partmac THEN
$ether = "ether[0:$B] 0x($mac) or ether[6:$B] 0x($mac)"

If $ether is null then I imagine it can always be included in the tcpdump command reading output. It also may be a good idea to convert the MAC value into a string of lower-case values for consistency. Determining the length of that string should be easier and can be used to create conditions when partial matching.

Actions #1

Updated by Renato Botelho over 4 years ago

  • Assignee set to Renato Botelho
  • Target version set to 2.4.1
Actions #2

Updated by Jim Pingle over 4 years ago

This is already partially done, 151b4e35eead8d1b1a9ccd1d1c3b3c4fb0e6620a

Though the calls to is_macaddr() could be changed to pass true for the second parameter to allow partial MAC matching that would take a bit more work crafting the tcpdump command as noted above.

Actions #3

Updated by Clinton Cory over 4 years ago

Jim Pingle wrote:

This is already partially done, 151b4e35eead8d1b1a9ccd1d1c3b3c4fb0e6620a

Though the calls to is_macaddr() could be changed to pass true for the second parameter to allow partial MAC matching that would take a bit more work crafting the tcpdump command as noted above.

The text under the "Host Address" field needs to be updated as well.

Actions #4

Updated by Jim Pingle over 4 years ago

  • Assignee changed from Renato Botelho to Jim Pingle
  • Target version changed from 2.4.1 to 2.4.0

I'll take this, it wasn't too difficult to implement, I've got a working set of changes to push.

Actions #5

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by John Murphy over 4 years ago

An initial packet capture was taken over the LAN interface to capture a sample of active MAC addresses on the network. After obtaining several MAC addresses to use while testing the filter, different packet captures were ran limiting to various 1, 2, and 4 octets. Analysis of these various packet captures had the expected MAC addresses contained in the capture files.

Testing environment:

  • SG-2220 w/ 2.4.0.b.20170301.1546
  • Wireshark for analysis of downloaded capture files.
Actions #7

Updated by Jim Pingle over 4 years ago

  • Status changed from Feedback to Resolved

Confirmed on a snapshot here, too. Thanks for testing!

Actions

Also available in: Atom PDF