Project

General

Profile

Actions

Feature #6743

closed

Packet Capture - Filter MAC

Added by Clinton Cory about 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Diagnostics
Target version:
Start date:
08/25/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Under Diagnostics -> Packet Capture, there is no option to filter by partial or full MAC address. This should be fairly simple to add since the capture file includes link-layer headers already.

To add this functionality I believe the following changes need to occur in /usr/local/www/diag_packet_capture.php

1) Add logic to existing $host sanity and parsing functions to account for MAC address in one of the following formats (lower-case or upper-case, hexadecimal) when entered in the host field:
XX:XX:XX:XX:XX:XX
XXXX.XXXX.XXXX
XXXXXXXXXXXX

If a MAC is used as the host then determine if the MAC entered is a complete or partial MAC.
If a partial MAC is used then it must be the first byte (two hexadecimal values), first two bytes (four hexadecimal values), or first four bytes (six hexadecimal values)

3) If a MAC is detected as the host automatically include the -e flag regardless of the Detail value selected ($detail_args).

4) If a complete MAC is provided then append ether host {$mac} when reading the capture file...IE:
system("/usr/sbin/tcpdump {$disabledns} {$detail_args} {$iscarp} -r {$fp}{$fn} ether host {$mac}");

5) If a partial MAC is provided then append one of the following enclosed in quotes (M = Hexidecimal value):
First two of MAC address -> "ether[0:1] 0xMM or ether[6:1] 0xMM"
First four of MAC address -> "ether[0:2] 0xMMMM or ether[6:2] 0xMMMM"
First six of MAC address -> "ether[0:4] 0xMMMMMM or ether[6:4] 0xMMMMM"

I'd recommend using a variable to define the ether parameter that is appended to tcpdump when reading the capture. So for example..(not accurate syntax but you get the point):
IF mac THEN
$ether = "ether host $mac"
ELIF partmac THEN
$ether = "ether[0:$B] 0x($mac) or ether[6:$B] 0x($mac)"

If $ether is null then I imagine it can always be included in the tcpdump command reading output. It also may be a good idea to convert the MAC value into a string of lower-case values for consistency. Determining the length of that string should be easier and can be used to create conditions when partial matching.

Actions

Also available in: Atom PDF