Is there a way to capture only gratuitous ARP's using tcpdump? I'm trying to set up tcpdump to filter only gratuitous ARP's. I know that I need to search for packets with a host set to ff:ff:ff:ff:ff:ff. And I found t...--prophetes.ai

Is there a way to capture only gratuitous ARP's using tcpdump? I'm trying to set up tcpdump to filter only gratuitous ARP's. I know that I need to search for packets with a host set to ff:ff:ff:ff:ff:ff. And I found the arp.opcode parameter, but I can't seem to get it to work. For example, this: tcpdump -i wm0 arp and arp.opcode == 2 returns a syntax error. Can anyone shed some light on this? Thanks, Jason M.

In the usual tcpdump for Unix systems, only some fields are known by their name.

Try specifying the opcode field by offset and size, and comparing with 2 ("reply")

tcpdump -i eth99 arp and arp[6:2] == 2

For broadcasts with opcode "reply", which should be just the gratuitous ARPs:

tcpdump -i eth99 broadcast and arp and arp[6:2] == 2