tshark view mac address (vendor) name

Sabrina
5 ●1 ●1 ●3

I'm new to tshark and trying to print out unique IP address and it's MAC address together with the vendor of that MAC address. This is what I can do for now

c:\pcap>tshark -r input.pcap -T fields -e eth.src -e ip.src -e eth.dst -e ip.dst | sort | uniq -c
     25 00:01:42:00:01:42       10.1.1.1        00:0D:3a:00:0D:3a       172.16.1.1
     12 00:0D:3a:00:0D:3a       172.16.1.1      00:01:42:00:01:42       10.1.1.1

c:\pcap>

Desired Output

25 00:01:42:00:01:42   Cisco Systems, Inc.    10.1.1.1     00:0D:3a:00:0D:3a   Microsoft Corp.      172.16.1.1
12 00:0D:3a:00:0D:3a   Microsoft Corp.        172.16.1.1   00:01:42:00:01:42   Cisco Systems, Inc.  10.1.1.1

Is this possible? If yes, please let me know how to accomplish it using tshark. Thanks

add a comment

answered Nov 14 '18

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23850 ●4 ●988 ●227 https://www.wireshark.org

updated Nov 14 '18

You can get part of the way there by using eth.src_resolved and eth.dst_resolved, this will give output such as:

25 Cisco_00:01:42           10.1.1.1        Microsoft_00:0D:3a        172.16.1.1
12 Microsoft_00:0D:3a       172.16.1.1      Cisco_00:01:42            10.1.1.1

i.e. the first 3 octets are replaced with the manufacturer abbreviation as defined in the %WIRSHARK_INSTALL_DIR%\manuf file.

link

Comments

It makes one wonder why there are no src, dst or addr OUI filters available along with their fully resolved counterparts. Filters like eth.src.oui_resolved contains "Cisco" or eth.addr.oui_resolved ~ "Microsoft Corp". might then be possible. Possible new filters:

eth.src.oui
eth.src.oui_resolved
eth.dst.oui
eth.dst.oui_resolved
eth.addr.oui
eth.addr.oui_resolved

If this is a feature of interest, then I'd suggest opening up a Wireshark enhancement bug request for it at https://bugs.wireshark.org/bugzilla/.

cmaynard ( Nov 14 '18 )

Because you can already do that with eth.src_resolved and eth.dst_resolved?

Jaap ( Nov 15 '18 )

Those filters do not yield resolved OUI's. They give you a highly truncated resolved OUI, combined with the remaining 3 bytes of the MAC address, which isn't the same thing. There are a number of other filterable OUI fields, so it's somewhat surprising to me that there are no Ethernet filterable OUI fields.

$ tshark -G fields | grep OUI | wc -l
63

cmaynard ( Nov 15 '18 )

I was referring to filter expressions like eth.src_resolved contains "Cisco" are already possible.

I assume the prevailing use case is filtering on the actual OUI octets, such as eth.src[0:3] == 00:16:47

Jaap ( Nov 15 '18 )

Yes, that's true, but a filter such as eth.src_resolved contains "Cisco Systems" wouldn't work because the OUI name is truncated, nor would a filter such as eth.src_resolved == "Cisco Systems, Inc" or even eth.src_resolved ~ "Inc$" because of the extra 3 bytes of the MAC address included in that filter.

And you can't necessarily search very effectively for all "Cisco Systems, Inc" OUI's using a filter such as eth.src[0:3] == 00:16:47 considering the number of Cisco-assigned OUI's:

$ grep "Cisco Systems, Inc" manuf | wc -l
822

cmaynard ( Nov 15 '18 )

see more comments

tshark view mac address (vendor) name

1 Answer

Comments

Your Answer

Question Tools

Stats

tshark view mac address (vendor) name savecancel

1 Answer

Comments

Your Answer

Question Tools

Stats

tshark view mac address (vendor) name