Posted by:terk
Subject:monitor single MAC address
Date:20:54:17 21/11/2006

I read the information in the config file and the documentation before posting the original message.

filter_tracker=ANY(<mac_addr>) - Throws the mentioned error.
filter_tracker=ANY(!<mac_addr>) - Logs everthing but the specified mac address.

I just want to be able to monitor a particular mac address. With the information I'm faced with, it looks like the only way that can be done is to use the syntax that doesn't throw the error and chain together filter commands of every other MAC address on my wireless network except the one I want to see. If the filter is "positive pass" and I want to monitor the mac address 11:22:33:44:55:66 both as a source address and a destination address, then the following should be a valid filter_tracker command:


Thank you.

> > When I do that, it discards all packets to and from that address and logs all others. I'm using a Cisco 350 card with the following source line if that helps any:
> Filters are "positive-pass": anything matched by the filter is passed and
> all else is excluded.
> Filtering can be done on address types (ANY, SOURCE, DEST, and BSSID).
> To exclude a network with the BSSID AA:BB:CC:DD:EE:FF, the filter would be:
> filter_tracker=BSSID(!AA:BB:CC:DD:EE:FF)
> MAC addresses can be masked in the same fashion as IP netmasks. To
> match all networks of a certian manufacturer, restrict to the OUI:
> filter_tracker=BSSID(AA:BB:CC:00:00:00/FF:FF:FF:00:00:00)
> Multiple MAC addresses can be used on the same filter line. To filter
> out two known networks from being considered:
> filter_tracker=BSSID(!00:11:22:33:44:55,!00:11:22:33:44:66)
> Which is to say, all traffic not from 00..55 and not from 00..66 will
> be considered.
> So to exclude traffic from any network other than 00:00:00:AB:CD:EF
> filter_tracker=BSSID(00:00:00:AB:CD:EF)
> -m

