问题
Is there a BPF expression that would only capture arp-reply packets? Currently, I am using Pcap4J and the following BPF expression:
arp and dst host host and ether dst mac
where host is the IP address of my device and mac is the MAC address of my primary network interface. Unfortunately, when packets are captured, this filter allows ARP broadcast requests to also be captured, so I have to take an extra step to check if the operation field of the ARP header is 2 and not 1.
回答1:
Try this:
(arp[6:2] = 2) and dst host host and ether dst mac
来源:https://stackoverflow.com/questions/40196549/bpf-expression-to-capture-only-arp-reply-packets