BPF expression to capture only arp-reply packets

About

Asked 22/10, 2016 at 20:9 Answered 23/10, 2016 at 4:32

Solved java packet-capture arp bpf pcap4j

Is there a BPF expression that would only capture arp-reply packets? Currently, I am using Pcap4J and the following BPF expression:

arp and dst host host and ether dst mac

where host is the IP address of my device and mac is the MAC address of my primary network interface. Unfortunately, when packets are captured, this filter allows ARP broadcast requests to also be captured, so I have to take an extra step to check if the operation field of the ARP header is 2 and not 1.

Prescience answered 22/10, 2016 at 20:9 Comment(0)

Try this:

(arp[6:2] = 2) and dst host host and ether dst mac

Glomerulonephritis answered 23/10, 2016 at 4:32 Comment(2)

You my friend, are a genius. Can you explain what the 6:2 index is doing? – Prescience 23/10, 2016 at 17:9

The 6 is the offset in ARP header, where the operation field starts. The 2 is the field's length. arp[6:2] returns the operation field's value. – Glomerulonephritis 23/10, 2016 at 23:18

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags