First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

MAC Name resolution

  • retag add tags

I have looked for the ethers file, but it does not exist in any wireshark directory, I am using window 10 x64. I have created the ethers file and placed in every directory I can think to place it in, but I am still unable to have the MACs resolved to names. I have even added the MACs I want resolved to the wka file, as that actually exists.

I have restarted wireshark after every change I have made. Resolve MAC addresses is enabled in preferences > name resolution.

bwinslow's avatar
1
bwinslow
asked 2019-04-06 14:29:32 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

3 Answers

0

I found that I can add MAC addresses and host names for them to resolve to in the manuf file in the wireshark program directory.

bwinslow's avatar
1
bwinslow
answered 2019-04-08 19:20:47 +0000
edit flag offensive 0 remove flag delete link
more

Comments

But if you put the same entries into a new ethers file in the same directory, it doesn't work?

Guy Harris's avatar Guy Harris (2019-04-08 19:37:29 +0000) edit
more
  • delete

Correct. I think it may have been a file type issue, since the file didn't exist to begin with. When I edited the manuf file, I had to move it out of this directory to edit and move it back because my permissions would not allow me to save something within that directory, but i could paste something into it, or delete files, which doesn't make sense.. I would have to ask our administrator about those permissions.

bwinslow's avatar bwinslow (2019-04-09 12:11:46 +0000) edit
more
  • delete
add a comment see more comments
0

If you want to know where files are, go to the About Wireshark dialog. On the Folder panel you'll see the directories for the different kind of files listed there. The ethers file you are looking for is in the folder listed as System.

Jaap's avatar
13.7k
Jaap
answered 2019-04-06 15:54:08 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The problem is that it isn't actually there. I did see it listed as a "Typical file" there in the about wireshark > folders tab, but the file did not exist in that directory. As I said, I created the file because it didn't exist, but it still did not work.

bwinslow's avatar bwinslow (2019-04-06 15:58:04 +0000) edit
more
  • delete
add a comment see more comments
0

There is no "ethers" file by default, so indeed you need to create it yourself. I just tested this on Wireshark 2.6.7 and can confirm that it does work with the following caveats:

  1. The "ethers" file will only be read at the startup of Wireshark (so reloading a file or reading a new one will not load it, which one might consider a bug)
  2. The "ethers" resolving is not configuration profile aware, this means the "ethers" file in your default personal preferences folder will be used (and it will be used with all profiles). "ethers" files in Configuration profile directories are ignored (which one might consider a bug).

The file format of the ethers file is:

xx:xx:xx:xx:xx:xx    host-xxx
yy:yy:yy:yy:yy:yy    host-yada
SYN-bit's avatar
18.5k
SYN-bit
answered 2019-04-07 21:59:25 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Is there a specific file type the file needs to be saved as? I have closed and restarted wireshark with every iteration I have tried. I tried with your formatting with spaces, with tabs (as it looks like you have), with the host-name format, with just the name. I reinstalled wireshark, and still no luck. I have been trying in the default view, and tried in other profiles each time.

bwinslow's avatar bwinslow (2019-04-08 11:50:56 +0000) edit
more
  • delete

Which version of Wireshark are you using and on what OS?

SYN-bit's avatar SYN-bit (2019-04-09 08:12:43 +0000) edit
more
  • delete

I was using version 3 on windows 10, but have uninstalled and am using v2.6.7.0 now, but have not tried to change or look for an ethers file yet. I made this change due to other issues I was having with wireshark crashing.

bwinslow's avatar bwinslow (2019-04-09 12:12:09 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer