1 | initial version |
You can use the display filter "arp.opcode == 2" to show ARP replies only. To add the senders IP and mac address as column, select one packet, expand the "Address Resolution Protocol (reply)" section, rightclick on "Sender MAC address" and choose "Add as column". Do the same with "Sender IP address".
You can also use tshark (located in the installation folder of Wireshark) to export a list of all ARP replies from a capture file, containing the mac (arp.src.hw_mac) and IP addresses (arp.src.proto_ipv4):
tshark -r CaptureFile.pcapng -Y "arp.opcode == 2" -T fields -e arp.src.hw_mac -e arp.src.proto_ipv4
If you want to do this during a live capture, just replace "-r CaptureFile.pcapng" by "-i" followed by the ID or name of your LAN connection.