Ask Your Question
0

Using eth.addr.oui with 'matches'

asked 2023-07-17 21:03:54 +0000

JeepJunky gravatar image

My goal here is to search the network for all ocurances of NICS that come from a specific vendor. I don't want to use the resolved option (eth.addr.oui.resolved)rather just the eth.addr.oui.

I have no idea how to use this. I've tried space, comma and semicolon delimited list of eth.add.oui items in the Value field, which doesn't seem correct. , but the I don't seem to know the magic handshake to get it to work. I am selecting eth.add.oui from the Field Name selector in the Display Filter Expression. In the 'Search:' field where it seems to autopopulate, it isn't. It says 'eth.addr' not eth.addr.oui. I don;'t know if thats a b00g or expected behavior,. Ultimately I am trying to find documentation on how to do this. Any assistance on how to use the Display filter expression builder in this manner would be awesome. -= Thanks!

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2023-07-17 23:04:32 +0000

Chuckc gravatar image

updated 2023-07-17 23:19:58 +0000

You can use a slice of eth.addr (Wildcard not working in eth.addr)

eth.addr[0:3] == 00:04:f2

or if using eth.addr.oui, setup the filter to do the math (Add new filters for Ethernet src and dst OUI's as well as their resolved OUI's.)

I would like to use eth.addr.oui == 00:30:59

but instead it is eth.addr.oui == 0*65536+0x30*256+0x59

Seems to work in 4.0.7: image description

edit flag offensive delete link more

Comments

That is the problem, I had no idea how to approach this. (The dot oui version) Is this in a Wireshark document somewhere? Thank-You.

JeepJunky gravatar imageJeepJunky ( 2023-07-18 01:00:16 +0000 )edit

eth.addr.oui and eth.addr.oui_resolved are added as hidden fields (packet-eth.c):

  addr_item = proto_tree_add_item(addr_tree, hf_eth_addr_oui, tvb, 0, 3, ENC_NA);
  proto_item_set_generated(addr_item);
  proto_item_set_hidden(addr_item);

  if (dst_oui_name != NULL) {
    addr_item = proto_tree_add_string(addr_tree, hf_eth_addr_oui_resolved, tvb, 0, 6, dst_oui_name);
    proto_item_set_generated(addr_item);
    proto_item_set_hidden(addr_item);
  }

If they were visible in the “Packet Details” Pane you could select one and see the field type in the Statusbar .

Field types are available in the gui - View->Internals->Supported Protocols
In the code it's a FT_UINT24 listed as Type "Unsigned integer (3 bytes)" in the Supported Protocols.

The online Wireshark Display Filter Reference lists it as:

Field name             Description             Type                           Versions
eth.addr               Address                 Ethernet or other MAC address  1.0.0 to 4.0.7
eth.addr.oui           Address OUI             Unsigned integer (24 bits)     3.2.0 to 4.0.7
eth.addr.oui_resolved  Address OUI (resolved)  Character string               3.2.0 to 4.0.7
Chuckc gravatar imageChuckc ( 2023-07-18 01:47:41 +0000 )edit

Set preference protocols.display_hidden_proto_items TRUE to see hidden items in packet details.

Edit->Preferences...->Protocols: Display hidden protocol items

Chuckc gravatar imageChuckc ( 2023-07-18 11:45:22 +0000 )edit

This opens up knowledge of Wireshark I've never seen in any classes I've taken on it before. Thank-You for all the tips today. I don't know if this is the type of forum where you mark answers as accepted or vote on an answer. I'll dig around and if I find it, I'll mark it. Regardless, thanks for sharing your knowledge. I have a well functioning filter now.

JeepJunky gravatar imageJeepJunky ( 2023-07-18 11:50:50 +0000 )edit

The Wireshark Discord (see link on https://ask.wireshark.org/questions/) is a good place to learn also.

Chuckc gravatar imageChuckc ( 2023-07-18 12:47:24 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-07-17 21:03:54 +0000

Seen: 808 times

Last updated: Jul 17 '23