First time here? Check out the FAQ!

Ask Your Question
0

tshark view mac address (vendor) name

asked Nov 14 '18

Sabrina gravatar image

updated Nov 15 '18

I'm new to tshark and trying to print out unique IP address and it's MAC address together with the vendor of that MAC address. This is what I can do for now

c:\pcap>tshark -r input.pcap -T fields -e eth.src -e ip.src -e eth.dst -e ip.dst | sort | uniq -c
     25 00:01:42:00:01:42       10.1.1.1        00:0D:3a:00:0D:3a       172.16.1.1
     12 00:0D:3a:00:0D:3a       172.16.1.1      00:01:42:00:01:42       10.1.1.1

c:\pcap>

Desired Output

25 00:01:42:00:01:42   Cisco Systems, Inc.    10.1.1.1     00:0D:3a:00:0D:3a   Microsoft Corp.      172.16.1.1
12 00:0D:3a:00:0D:3a   Microsoft Corp.        172.16.1.1   00:01:42:00:01:42   Cisco Systems, Inc.  10.1.1.1

Is this possible? If yes, please let me know how to accomplish it using tshark. Thanks

Preview: (hide)

1 Answer

Sort by » oldest newest most voted
0

answered Nov 14 '18

grahamb gravatar image

updated Nov 14 '18

You can get part of the way there by using eth.src_resolved and eth.dst_resolved, this will give output such as:

25 Cisco_00:01:42           10.1.1.1        Microsoft_00:0D:3a        172.16.1.1
12 Microsoft_00:0D:3a       172.16.1.1      Cisco_00:01:42            10.1.1.1

i.e. the first 3 octets are replaced with the manufacturer abbreviation as defined in the %WIRSHARK_INSTALL_DIR%\manuf file.

Preview: (hide)
link

Comments

It makes one wonder why there are no src, dst or addr OUI filters available along with their fully resolved counterparts. Filters like eth.src.oui_resolved contains "Cisco" or eth.addr.oui_resolved ~ "Microsoft Corp". might then be possible. Possible new filters:

eth.src.oui
eth.src.oui_resolved
eth.dst.oui
eth.dst.oui_resolved
eth.addr.oui
eth.addr.oui_resolved

If this is a feature of interest, then I'd suggest opening up a Wireshark enhancement bug request for it at https://bugs.wireshark.org/bugzilla/.

cmaynard gravatar imagecmaynard ( Nov 14 '18 )

Because you can already do that with eth.src_resolved and eth.dst_resolved?

Jaap gravatar imageJaap ( Nov 15 '18 )

Those filters do not yield resolved OUI's. They give you a highly truncated resolved OUI, combined with the remaining 3 bytes of the MAC address, which isn't the same thing. There are a number of other filterable OUI fields, so it's somewhat surprising to me that there are no Ethernet filterable OUI fields.

$ tshark -G fields | grep OUI | wc -l
63
cmaynard gravatar imagecmaynard ( Nov 15 '18 )

I was referring to filter expressions like eth.src_resolved contains "Cisco" are already possible.

I assume the prevailing use case is filtering on the actual OUI octets, such as eth.src[0:3] == 00:16:47

Jaap gravatar imageJaap ( Nov 15 '18 )

Yes, that's true, but a filter such as eth.src_resolved contains "Cisco Systems" wouldn't work because the OUI name is truncated, nor would a filter such as eth.src_resolved == "Cisco Systems, Inc" or even eth.src_resolved ~ "Inc$" because of the extra 3 bytes of the MAC address included in that filter.

And you can't necessarily search very effectively for all "Cisco Systems, Inc" OUI's using a filter such as eth.src[0:3] == 00:16:47 considering the number of Cisco-assigned OUI's:

$ grep "Cisco Systems, Inc" manuf | wc -l
822
cmaynard gravatar imagecmaynard ( Nov 15 '18 )

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: Nov 14 '18

Seen: 8,657 times

Last updated: Nov 15 '18