Wireshark: Filter by Multicast in GUI

Question

Using the Wireshark "Filter" field in the Wireshark GUI, I would like to filter capture results so that only multicast packets are shown.

I've seen this post but that doesn't work for the GUI filter field. This Wireshark page shows how to filter out multicast, but not how to filter everything but multicast.

Does anyone know of a simple statement that will do this?

Thank you in advance!

Answer 1

even though it is very old topic, Mcast traffic range for destination MAC is 01:00:5E:00:00:00 - 01:00:5E:FF:FF:FF

So, I "slice" first three octets in ethernet detsination MAC address by:

eth.dst[0:3]==01:00:5E

Answer 2

With Wireshark (2.2.6 version for Linux) is possible to choose the filter "eth.ig == 1"

It refer to "IG bit" that is present in the Ethernet Frame.

The IG bit distinguishes whether the MAC address is an individual or group (hence IG) address. In other words, an IG bit of 0 indicates that this is a unicast MAC address, an IG bit of 1 indicates a multicast or broadcast address.

Answer 3

Just use this (eth.dst[0] & 1) . Multicast traffic is recognized by the least significant bit of the most significant byte of the MAC address. If 1, multicast, if 0, not.

Answer 4

I came across this solution by a process of trial and error.

Since a multicast address begins "1110" (128+64+32+0 = 224), a packet sent to a an IP address beginning 1110 is destined for a multicast address. Therefor, a packet matching the mask 224.0.0.0/4 is destined for a multicast address.

This display filter should therefor filter packets to multicast addresses only:

ip.dst==224.0.0.0/4

Answer 5

(eth.dst[0]&1) 

will filter both multicast and broadcast. So, from this exclude broadcast. It will be like

(eth.dst[0]&1) && !eth.dst==ff:ff:ff:ff:ff:ff 

Answer 6

Have you tried just using multicast as your filter? Because if not multicast filters out all multicast packets and lets through everything else as the page you linked seems to state, then that's only logical.