tcpdump BPF filters

Question

What BPF filter should I use to find the following:

1. For all traffic FROM the MAC address 00:11:22:33:44:55
2. For all traffic TO the MAC address 00:11:22:33:44:55
3. For all traffic TO and FROM the MAC address 00:11:22:33:44:55
4. For all traffic TO and FROM the MAC addresses 00:11:22:33:44:55 and 00:11:22:33:44:56.

Answer 1

For 1,2, and 3 this should work:

sudo tcpdump -i enp2s0 ether host 00:11:22:33:44:55

although, I actually prefer this:

sudo tcpdump -n -tttt -i enp2s0 ether host 00:11:22:33:44:55

Note: change your interface name to whatever yours is. It doesn't seem to work without specifying an interface name (based on my tests).

For 4, this worked for me (I have left my test MAC's as is):

sudo tcpdump -n -tttt -i enp2s0 ether host 00:23:32:9f:a3:cb or ether host f4:6d:04:65:2d:8e