First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark view mac address (vendor) name

  • retag add tags

I'm new to tshark and trying to print out unique IP address and it's MAC address together with the vendor of that MAC address. This is what I can do for now

c:\pcap>tshark -r input.pcap -T fields -e eth.src -e ip.src -e eth.dst -e ip.dst | sort | uniq -c
     25 00:01:42:00:01:42       10.1.1.1        00:0D:3a:00:0D:3a       172.16.1.1
     12 00:0D:3a:00:0D:3a       172.16.1.1      00:01:42:00:01:42       10.1.1.1

c:\pcap>

Desired Output

25 00:01:42:00:01:42   Cisco Systems, Inc.    10.1.1.1     00:0D:3a:00:0D:3a   Microsoft Corp.      172.16.1.1
12 00:0D:3a:00:0D:3a   Microsoft Corp.        172.16.1.1   00:01:42:00:01:42   Cisco Systems, Inc.  10.1.1.1

Is this possible? If yes, please let me know how to accomplish it using tshark. Thanks

Sabrina's avatar
5
Sabrina
asked 2018-11-14 17:56:05 +0000, updated 2018-11-15 20:52:12 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

You can get part of the way there by using eth.src_resolved and eth.dst_resolved, this will give output such as:

25 Cisco_00:01:42           10.1.1.1        Microsoft_00:0D:3a        172.16.1.1
12 Microsoft_00:0D:3a       172.16.1.1      Cisco_00:01:42            10.1.1.1

i.e. the first 3 octets are replaced with the manufacturer abbreviation as defined in the %WIRSHARK_INSTALL_DIR%\manuf file.

grahamb's avatar
23.8k
grahamb
answered 2018-11-14 18:25:15 +0000, updated 2018-11-14 18:25:53 +0000
edit flag offensive 0 remove flag delete link
more

Comments

It makes one wonder why there are no src, dst or addr OUI filters available along with their fully resolved counterparts. Filters like eth.src.oui_resolved contains "Cisco" or eth.addr.oui_resolved ~ "Microsoft Corp". might then be possible. Possible new filters:

eth.src.oui
eth.src.oui_resolved
eth.dst.oui
eth.dst.oui_resolved
eth.addr.oui
eth.addr.oui_resolved

If this is a feature of interest, then I'd suggest opening up a Wireshark enhancement bug request for it at https://bugs.wireshark.org/bugzilla/.

cmaynard's avatar cmaynard (2018-11-14 20:38:52 +0000) edit
more
  • delete

Because you can already do that with eth.src_resolved and eth.dst_resolved?

Jaap's avatar Jaap (2018-11-15 07:52:45 +0000) edit
more
  • delete

Those filters do not yield resolved OUI's. They give you a highly truncated resolved OUI, combined with the remaining 3 bytes of the MAC address, which isn't the same thing. There are a number of other filterable OUI fields, so it's somewhat surprising to me that there are no Ethernet filterable OUI fields.

$ tshark -G fields | grep OUI | wc -l
63
cmaynard's avatar cmaynard (2018-11-15 16:21:47 +0000) edit
more
  • delete

I was referring to filter expressions like eth.src_resolved contains "Cisco" are already possible.

I assume the prevailing use case is filtering on the actual OUI octets, such as eth.src[0:3] == 00:16:47

Jaap's avatar Jaap (2018-11-15 18:06:17 +0000) edit
more
  • delete

Yes, that's true, but a filter such as eth.src_resolved contains "Cisco Systems" wouldn't work because the OUI name is truncated, nor would a filter such as eth.src_resolved == "Cisco Systems, Inc" or even eth.src_resolved ~ "Inc$" because of the extra 3 bytes of the MAC address included in that filter.

And you can't necessarily search very effectively for all "Cisco Systems, Inc" OUI's using a filter such as eth.src[0:3] == 00:16:47 considering the number of Cisco-assigned OUI's:

$ grep "Cisco Systems, Inc" manuf | wc -l
822
cmaynard's avatar cmaynard (2018-11-15 18:29:36 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer