Ask Your Question
0

tshark view mac address (vendor) name

asked 2018-11-14 17:56:05 +0000

Sabrina gravatar image

updated 2018-11-15 20:52:12 +0000

I'm new to tshark and trying to print out unique IP address and it's MAC address together with the vendor of that MAC address. This is what I can do for now

c:\pcap>tshark -r input.pcap -T fields -e eth.src -e ip.src -e eth.dst -e ip.dst | sort | uniq -c
     25 00:01:42:00:01:42       10.1.1.1        00:0D:3a:00:0D:3a       172.16.1.1
     12 00:0D:3a:00:0D:3a       172.16.1.1      00:01:42:00:01:42       10.1.1.1

c:\pcap>

Desired Output

25 00:01:42:00:01:42   Cisco Systems, Inc.    10.1.1.1     00:0D:3a:00:0D:3a   Microsoft Corp.      172.16.1.1
12 00:0D:3a:00:0D:3a   Microsoft Corp.        172.16.1.1   00:01:42:00:01:42   Cisco Systems, Inc.  10.1.1.1

Is this possible? If yes, please let me know how to accomplish it using tshark. Thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-11-14 18:25:15 +0000

grahamb gravatar image

updated 2018-11-14 18:25:53 +0000

You can get part of the way there by using eth.src_resolved and eth.dst_resolved, this will give output such as:

25 Cisco_00:01:42           10.1.1.1        Microsoft_00:0D:3a        172.16.1.1
12 Microsoft_00:0D:3a       172.16.1.1      Cisco_00:01:42            10.1.1.1

i.e. the first 3 octets are replaced with the manufacturer abbreviation as defined in the %WIRSHARK_INSTALL_DIR%\manuf file.

edit flag offensive delete link more

Comments

It makes one wonder why there are no src, dst or addr OUI filters available along with their fully resolved counterparts. Filters like eth.src.oui_resolved contains "Cisco" or eth.addr.oui_resolved ~ "Microsoft Corp". might then be possible. Possible new filters:

eth.src.oui
eth.src.oui_resolved
eth.dst.oui
eth.dst.oui_resolved
eth.addr.oui
eth.addr.oui_resolved

If this is a feature of interest, then I'd suggest opening up a Wireshark enhancement bug request for it at https://bugs.wireshark.org/bugzilla/.

cmaynard gravatar imagecmaynard ( 2018-11-14 20:38:52 +0000 )edit

Because you can already do that with eth.src_resolved and eth.dst_resolved?

Jaap gravatar imageJaap ( 2018-11-15 07:52:45 +0000 )edit

Those filters do not yield resolved OUI's. They give you a highly truncated resolved OUI, combined with the remaining 3 bytes of the MAC address, which isn't the same thing. There are a number of other filterable OUI fields, so it's somewhat surprising to me that there are no Ethernet filterable OUI fields.

$ tshark -G fields | grep OUI | wc -l
63
cmaynard gravatar imagecmaynard ( 2018-11-15 16:21:47 +0000 )edit

I was referring to filter expressions like eth.src_resolved contains "Cisco" are already possible.

I assume the prevailing use case is filtering on the actual OUI octets, such as eth.src[0:3] == 00:16:47

Jaap gravatar imageJaap ( 2018-11-15 18:06:17 +0000 )edit

Yes, that's true, but a filter such as eth.src_resolved contains "Cisco Systems" wouldn't work because the OUI name is truncated, nor would a filter such as eth.src_resolved == "Cisco Systems, Inc" or even eth.src_resolved ~ "Inc$" because of the extra 3 bytes of the MAC address included in that filter.

And you can't necessarily search very effectively for all "Cisco Systems, Inc" OUI's using a filter such as eth.src[0:3] == 00:16:47 considering the number of Cisco-assigned OUI's:

$ grep "Cisco Systems, Inc" manuf | wc -l
822
cmaynard gravatar imagecmaynard ( 2018-11-15 18:29:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-11-14 17:56:05 +0000

Seen: 8,300 times

Last updated: Nov 15 '18