Revision history [back]
I am not sure Wireshark is the best tool for this. Some options:
- Specific tool for this, like lansweeper and probably many others. AngryIP scanner maybe?
- On the host running nmap, investigate the ARP cache as that will map IPs to MAC addresses.
tshark output of src IP with src MAC, filtered on a Linux system:
tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | colum -t
You will only be able to reliably map MAC to IP on the local network in most cases.
Example:
wsuser@wssys:~/tmp$ tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | column -t
10.1.10.1 01:05:ca:08:0f:1c
10.1.10.50 02:cd:e6:65:aa:c2
10.1.10.58 03:90:0b:de:10:e5
10.1.10.6 04:b7:1f:5c:f1:a8
I am not sure Wireshark is the best tool for this. Some options:
- Specific tool for this, like lansweeper and probably many others. AngryIP scanner maybe?
- On the host running nmap, investigate the ARP cache as that will map IPs to MAC addresses.
tshark output of src IP with src MAC, filtered on a Linux system:
tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | colum -t
You will only be able to reliably map MAC to IP on the local network in most cases.
Example:
wsuser@wssys:~/tmp$ tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | column -t
10.1.10.1 01:05:ca:08:0f:1c
10.1.10.50 02:cd:e6:65:aa:c2
10.1.10.58 03:90:0b:de:10:e5
10.1.10.6 04:b7:1f:5c:f1:a8