I've tried a number of things, but none of them seem to do the trick. I want to run this command:
tshark -r data.pcap -T fields -e frame.time_epoch -e frame.len
but to have it ignore any packets from/to one or more devices that have a specific MAC address. I've tried variants of not eth.addr==, mac !=, etc with the -Y flag.
If this is not possible with tshark, a separate command (e.g. tcpdump) to preprocess the pcap and filter packets out into a new file would work too. Any tips would be much appreciated!
Best Answer
You can use
not ether host 01:23:45:67:89:ab. To filter only source or destination address usenot ether srcornot ether dst.Check http://www.tcpdump.org/manpages/pcap-filter.7.html