If you are trying to trace MAC's on the switch you are also connected to, then you'll want to sniff from a port which is spanned/mirrored to the port which has inbound/outbound traffic of that switch, so that you will see all the traffic coming in and out of the switch. For instance, tshark -i 1 -R "eth.addr eq xx:xx:xx:xx:xx:xx or eth.addr eq xx:xx:xx:xx:xx:xx" You can use a list for your MAC's in one display filter, but not a range, unless you switch to IP's instead of MAC's. If you are using a display filter of eth.addr = xx:xx:xx:xx:xx:xx and you are not seeing any information being displayed/sniffed, then the traffic for that MAC address is not passing through the port you're sniffing on.
0 kommentar(er)
