Wireshark: Filter by Multicast in GUI

Asked 9/7, 2012 at 17:26 Answered 31/1, 2018 at 16:17

Using the Wireshark "Filter" field in the Wireshark GUI, I would like to filter capture results so that only multicast packets are shown.

I've seen this post but that doesn't work for the GUI filter field. This Wireshark page shows how to filter out multicast, but not how to filter everything but multicast.

Does anyone know of a simple statement that will do this?

Thank you in advance!

Bergmann answered 9/7, 2012 at 17:26 Comment(0)

Just use this (eth.dst[0] & 1) . Multicast traffic is recognized by the least significant bit of the most significant byte of the MAC address. If 1, multicast, if 0, not.

Bluebell answered 9/7, 2012 at 17:37 Comment(7)

That produces the Wireshark error "multicast" was unexpected in this context. Any ideas? I wonder if there is simply a syntax issue. ip==multicast didn't produce an error, but it doesn't show any resuts either (and there are many many multicast packets that should be showing). – Bergmann 9/7, 2012 at 17:42

Did you try ip==multicast and ether==multicast? – Bluebell 9/7, 2012 at 17:44

As mentioned above, ip==multicast didn't produce any results. ether==multicast produces the Wireshark error Neither "ether" nor "multicast" are field or protocol names. – Bergmann 9/7, 2012 at 17:46

Edited my answer with a more direct solution – Bluebell 9/7, 2012 at 17:53

This also displays broadcast, see mojjj's answer. – Inexpensive 4/3, 2017 at 14:7

That is true, but broadcast is a type of multicast traffic. So this still answers the original question. @mojjj's answer is still beneficial because it does provide a way to explicitly exclude broadcast. – Bluebell 9/3, 2017 at 19:7

Sorry my bad, would like to remove the downvote but can't – Inexpensive 17/3, 2017 at 16:36

(eth.dst[0]&1)

will filter both multicast and broadcast. So, from this exclude broadcast. It will be like

(eth.dst[0]&1) && !eth.dst==ff:ff:ff:ff:ff:ff

Shapiro answered 23/11, 2012 at 10:4 Comment(1)

What worked for me was eth.dst[0]&1 && eth.dst!=ff:ff:ff:ff:ff:ff – Glinys 10/10, 2019 at 19:10

I came across this solution by a process of trial and error.

Since a multicast address begins "1110" (128+64+32+0 = 224), a packet sent to a an IP address beginning 1110 is destined for a multicast address. Therefor, a packet matching the mask 224.0.0.0/4 is destined for a multicast address.

This display filter should therefor filter packets to multicast addresses only:

ip.dst==224.0.0.0/4

Extraterrestrial answered 16/2, 2014 at 18:1 Comment(2)

I think this must be the solution for the network packets with IP layer. Using MAC address information for broadcast is more general solution. – Kentigera 16/10, 2019 at 14:58

Note that this filter display IPv4 multicast only, hiding IPv6. – Amund 23/9, 2022 at 13:1

With Wireshark (2.2.6 version for Linux) is possible to choose the filter "eth.ig == 1"

It refer to "IG bit" that is present in the Ethernet Frame.

The IG bit distinguishes whether the MAC address is an individual or group (hence IG) address. In other words, an IG bit of 0 indicates that this is a unicast MAC address, an IG bit of 1 indicates a multicast or broadcast address.

Cesya answered 31/1, 2018 at 16:17 Comment(0)

-1

Have you tried just using multicast as your filter? Because if not multicast filters out all multicast packets and lets through everything else as the page you linked seems to state, then that's only logical.

Esp answered 9/7, 2012 at 17:29 Comment(2)

I did try that but Wireshark gives the error "multicast" is neither a field nor a protocol name. – Bergmann 9/7, 2012 at 17:32

Oh, looks like that's because it's actually a capture filter rather than a display filter. Sorry for not noticing before. – Esp 9/7, 2012 at 19:9

Recommended topics

Hot tags