Is there a display filter that can be used to apply as column, the resolved or mapped host name for an ARP target IP address?
This string value is shown in the packet details window.
Target IP address: jw-pi01.local (192.168.7.5) field is arp.dst.proto_ipv4 defined in packet-arp.c:
{ &hf_arp_dst_proto_ipv4,
{ "Target IP address", "arp.dst.proto_ipv4",
FT_IPv4, BASE_NONE, NULL, 0x0,
NULL, HFILL }},
proto_item_fill_label() in proto.c formats the string and calls for name resolution:
case FT_IPv4:
ipv4 = fvalue_get_uinteger(&fi->value);
addr.type = AT_IPv4;
addr.len = 4;
addr.data = &ipv4;
if (hfinfo->display == BASE_NETMASK) {
addr_str = (char*)address_to_str(NULL, &addr);
} else {
addr_str = (char*)address_with_resolution_to_str(NULL, &addr);
}
g_snprintf(label_str, ITEM_LABEL_LENGTH,
"%s: %s", hfinfo->name, addr_str);
wmem_free(NULL, addr_str);
break;
If you are open to a Lua plugin, arp_host.lua available in the Contrib section of the Wireshark wiki, will add a new field arp_host.target that copies in the formatted/resolved address which can be added as a column and filtered on.
Many thanks @Chuckc for all your efforts to address this issue. I have downloaded and tested the postdissector that you provided -- JWTDO!
You can use the display filter "arp.opcode == 2" to show ARP replies only. To add the senders IP and mac address as column, select one packet, expand the "Address Resolution Protocol (reply)" section, rightclick on "Sender MAC address" and choose "Add as column". Do the same with "Sender IP address".
You can also use tshark (located in the installation folder of Wireshark) to export a list of all ARP replies from a capture file, containing the mac (arp.src.hw_mac) and IP addresses (arp.src.proto_ipv4):
tshark -r CaptureFile.pcapng -Y "arp.opcode == 2" -T fields -e arp.src.hw_mac -e arp.src.proto_ipv4
If you want to do this during a live capture, just replace "-r CaptureFile.pcapng" by "-i" followed by the ID or name of your LAN connection.
Comments