Feature #6743
closed
Packet Capture - Filter MAC
100%
Description
Under Diagnostics -> Packet Capture, there is no option to filter by partial or full MAC address. This should be fairly simple to add since the capture file includes link-layer headers already.
To add this functionality I believe the following changes need to occur in /usr/local/www/diag_packet_capture.php
1) Add logic to existing $host sanity and parsing functions to account for MAC address in one of the following formats (lower-case or upper-case, hexadecimal) when entered in the host field:
XX:XX:XX:XX:XX:XX
XXXX.XXXX.XXXX
XXXXXXXXXXXX
If a MAC is used as the host then determine if the MAC entered is a complete or partial MAC.
If a partial MAC is used then it must be the first byte (two hexadecimal values), first two bytes (four hexadecimal values), or first four bytes (six hexadecimal values)
3) If a MAC is detected as the host automatically include the -e flag regardless of the Detail value selected ($detail_args).
4) If a complete MAC is provided then append ether host {$mac} when reading the capture file...IE:
system("/usr/sbin/tcpdump {$disabledns} {$detail_args} {$iscarp} -r {$fp}{$fn} ether host {$mac}");
5) If a partial MAC is provided then append one of the following enclosed in quotes (M = Hexidecimal value):
First two of MAC address -> "ether[0:1] 0xMM or ether[6:1] 0xMM"
First four of MAC address -> "ether[0:2] 0xMMMM or ether[6:2] 0xMMMM"
First six of MAC address -> "ether[0:4] 0xMMMMMM or ether[6:4] 0xMMMMM"
I'd recommend using a variable to define the ether parameter that is appended to tcpdump when reading the capture. So for example..(not accurate syntax but you get the point):
IF mac THEN
$ether = "ether host $mac"
ELIF partmac THEN
$ether = "ether[0:$B] 0x($mac) or ether[6:$B] 0x($mac)"
If $ether is null then I imagine it can always be included in the tcpdump command reading output. It also may be a good idea to convert the MAC value into a string of lower-case values for consistency. Determining the length of that string should be easier and can be used to create conditions when partial matching.
Updated by Renato Botelho over 7 years ago
- Assignee set to Renato Botelho
- Target version set to 2.4.1
Updated by Jim Pingle over 7 years ago
This is already partially done, 151b4e35eead8d1b1a9ccd1d1c3b3c4fb0e6620a
Though the calls to is_macaddr() could be changed to pass true for the second parameter to allow partial MAC matching that would take a bit more work crafting the tcpdump command as noted above.
Updated by Clinton Cory over 7 years ago
Jim Pingle wrote:
This is already partially done, 151b4e35eead8d1b1a9ccd1d1c3b3c4fb0e6620a
Though the calls to is_macaddr() could be changed to pass true for the second parameter to allow partial MAC matching that would take a bit more work crafting the tcpdump command as noted above.
The text under the "Host Address" field needs to be updated as well.
Updated by Jim Pingle over 7 years ago
- Assignee changed from Renato Botelho to Jim Pingle
- Target version changed from 2.4.1 to 2.4.0
I'll take this, it wasn't too difficult to implement, I've got a working set of changes to push.
Updated by Jim Pingle over 7 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 6aa85955fc074d9d35de782c32f7363391b945df.
Updated by John Murphy over 7 years ago
An initial packet capture was taken over the LAN interface to capture a sample of active MAC addresses on the network. After obtaining several MAC addresses to use while testing the filter, different packet captures were ran limiting to various 1, 2, and 4 octets. Analysis of these various packet captures had the expected MAC addresses contained in the capture files.
Testing environment:
- SG-2220 w/ 2.4.0.b.20170301.1546
- Wireshark for analysis of downloaded capture files.
Updated by Jim Pingle over 7 years ago
- Status changed from Feedback to Resolved
Confirmed on a snapshot here, too. Thanks for testing!