Project

General

Profile

Feature #6743

Packet Capture - Filter MAC

Added by Clinton Cory 8 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Diagnostics
Target version:
Start date:
08/25/2016
Due date:
% Done:

100%


Description

Under Diagnostics -> Packet Capture, there is no option to filter by partial or full MAC address. This should be fairly simple to add since the capture file includes link-layer headers already.

To add this functionality I believe the following changes need to occur in /usr/local/www/diag_packet_capture.php

1) Add logic to existing $host sanity and parsing functions to account for MAC address in one of the following formats (lower-case or upper-case, hexadecimal) when entered in the host field:
XX:XX:XX:XX:XX:XX
XXXX.XXXX.XXXX
XXXXXXXXXXXX

If a MAC is used as the host then determine if the MAC entered is a complete or partial MAC.
If a partial MAC is used then it must be the first byte (two hexadecimal values), first two bytes (four hexadecimal values), or first four bytes (six hexadecimal values)

3) If a MAC is detected as the host automatically include the -e flag regardless of the Detail value selected ($detail_args).

4) If a complete MAC is provided then append ether host {$mac} when reading the capture file...IE:
system("/usr/sbin/tcpdump {$disabledns} {$detail_args} {$iscarp} -r {$fp}{$fn} ether host {$mac}");

5) If a partial MAC is provided then append one of the following enclosed in quotes (M = Hexidecimal value):
First two of MAC address -> "ether[0:1] 0xMM or ether[6:1] 0xMM"
First four of MAC address -> "ether[0:2] 0xMMMM or ether[6:2] 0xMMMM"
First six of MAC address -> "ether[0:4] 0xMMMMMM or ether[6:4] 0xMMMMM"

I'd recommend using a variable to define the ether parameter that is appended to tcpdump when reading the capture. So for example..(not accurate syntax but you get the point):
IF mac THEN
$ether = "ether host $mac"
ELIF partmac THEN
$ether = "ether[0:$B] 0x($mac) or ether[6:$B] 0x($mac)"

If $ether is null then I imagine it can always be included in the tcpdump command reading output. It also may be a good idea to convert the MAC value into a string of lower-case values for consistency. Determining the length of that string should be easier and can be used to create conditions when partial matching.

Associated revisions

Revision 6aa85955
Added by Jim Pingle 2 months ago

Finish MAC address matching for packet capture. Implements #6743

History

#1 Updated by Renato Botelho 2 months ago

  • Assignee set to Renato Botelho
  • Target version set to 2.4.1

#2 Updated by Jim Pingle 2 months ago

This is already partially done, 151b4e35eead8d1b1a9ccd1d1c3b3c4fb0e6620a

Though the calls to is_macaddr() could be changed to pass true for the second parameter to allow partial MAC matching that would take a bit more work crafting the tcpdump command as noted above.

#3 Updated by Clinton Cory 2 months ago

Jim Pingle wrote:

This is already partially done, 151b4e35eead8d1b1a9ccd1d1c3b3c4fb0e6620a

Though the calls to is_macaddr() could be changed to pass true for the second parameter to allow partial MAC matching that would take a bit more work crafting the tcpdump command as noted above.

The text under the "Host Address" field needs to be updated as well.

#4 Updated by Jim Pingle 2 months ago

  • Assignee changed from Renato Botelho to Jim Pingle
  • Target version changed from 2.4.1 to 2.4.0

I'll take this, it wasn't too difficult to implement, I've got a working set of changes to push.

#5 Updated by Jim Pingle 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#6 Updated by John Murphy about 2 months ago

An initial packet capture was taken over the LAN interface to capture a sample of active MAC addresses on the network. After obtaining several MAC addresses to use while testing the filter, different packet captures were ran limiting to various 1, 2, and 4 octets. Analysis of these various packet captures had the expected MAC addresses contained in the capture files.

Testing environment:

  • SG-2220 w/ 2.4.0.b.20170301.1546
  • Wireshark for analysis of downloaded capture files.

#7 Updated by Jim Pingle about 2 months ago

  • Status changed from Feedback to Resolved

Confirmed on a snapshot here, too. Thanks for testing!

Also available in: Atom PDF