Feature #6743
closedPacket Capture - Filter MAC
100%
Description
Under Diagnostics -> Packet Capture, there is no option to filter by partial or full MAC address. This should be fairly simple to add since the capture file includes link-layer headers already.
To add this functionality I believe the following changes need to occur in /usr/local/www/diag_packet_capture.php
1) Add logic to existing $host sanity and parsing functions to account for MAC address in one of the following formats (lower-case or upper-case, hexadecimal) when entered in the host field:
XX:XX:XX:XX:XX:XX
XXXX.XXXX.XXXX
XXXXXXXXXXXX
If a MAC is used as the host then determine if the MAC entered is a complete or partial MAC.
If a partial MAC is used then it must be the first byte (two hexadecimal values), first two bytes (four hexadecimal values), or first four bytes (six hexadecimal values)
3) If a MAC is detected as the host automatically include the -e flag regardless of the Detail value selected ($detail_args).
4) If a complete MAC is provided then append ether host {$mac} when reading the capture file...IE:
system("/usr/sbin/tcpdump {$disabledns} {$detail_args} {$iscarp} -r {$fp}{$fn} ether host {$mac}");
5) If a partial MAC is provided then append one of the following enclosed in quotes (M = Hexidecimal value):
First two of MAC address -> "ether[0:1] 0xMM or ether[6:1] 0xMM"
First four of MAC address -> "ether[0:2] 0xMMMM or ether[6:2] 0xMMMM"
First six of MAC address -> "ether[0:4] 0xMMMMMM or ether[6:4] 0xMMMMM"
I'd recommend using a variable to define the ether parameter that is appended to tcpdump when reading the capture. So for example..(not accurate syntax but you get the point):
IF mac THEN
$ether = "ether host $mac"
ELIF partmac THEN
$ether = "ether[0:$B] 0x($mac) or ether[6:$B] 0x($mac)"
If $ether is null then I imagine it can always be included in the tcpdump command reading output. It also may be a good idea to convert the MAC value into a string of lower-case values for consistency. Determining the length of that string should be easier and can be used to create conditions when partial matching.