Revision history [back]

I am not sure Wireshark is the best tool for this. Some options:

1. Specific tool for this, like lansweeper and probably many others. AngryIP scanner maybe?
2. On the host running nmap, investigate the ARP cache as that will map IPs to MAC addresses.

3. tshark output of src IP with src MAC, filtered on a Linux system:

   tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | colum -t

You will only be able to reliably map MAC to IP on the local network in most cases.

I am not sure Wireshark is the best tool for this. Some options:

1. Specific tool for this, like lansweeper and probably many others. AngryIP scanner maybe?
2. On the host running nmap, investigate the ARP cache as that will map IPs to MAC addresses.

3. tshark output of src IP with src MAC, filtered on a Linux system:

   tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | colum -t

You will only be able to reliably map MAC to IP on the local network in most cases.

wsuser@wssys:~/tmp$ tshark -r test.pcapng -R ip -2 -T fields -E separator=' ' -e ip.src -e eth.src ip | sort -k1 | uniq | column -t
10.1.10.1     01:05:ca:08:0f:1c
10.1.10.50    02:cd:e6:65:aa:c2
10.1.10.58    03:90:0b:de:10:e5
10.1.10.6     04:b7:1f:5c:f1:a8