Ask Your Question
0

tshark view mac address (vendor) name

asked 2018-11-14 17:56:05 +0000

Sabrina gravatar image

updated 2018-11-15 20:52:12 +0000

I'm new to tshark and trying to print out unique IP address and it's MAC address together with the vendor of that MAC address. This is what I can do for now

c:\pcap>tshark -r input.pcap -T fields -e eth.src -e ip.src -e eth.dst -e ip.dst | sort | uniq -c
     25 00:01:42:00:01:42       10.1.1.1        00:0D:3a:00:0D:3a       172.16.1.1
     12 00:0D:3a:00:0D:3a       172.16.1.1      00:01:42:00:01:42       10.1.1.1

c:\pcap>

Desired Output

25 00:01:42:00:01:42   Cisco Systems, Inc.    10.1.1.1     00:0D:3a:00:0D:3a   Microsoft Corp.      172.16.1.1
12 00:0D:3a:00:0D:3a   Microsoft Corp.        172.16.1.1   00:01:42:00:01:42   Cisco Systems, Inc.  10.1.1.1

Is this possible? If yes, please let me know how to accomplish it using tshark. Thanks

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-11-14 18:25:15 +0000

grahamb gravatar image

updated 2018-11-14 18:25:53 +0000

You can get part of the way there by using eth.src_resolved and eth.dst_resolved, this will give output such as:

25 Cisco_00:01:42           10.1.1.1        Microsoft_00:0D:3a        172.16.1.1
12 Microsoft_00:0D:3a       172.16.1.1      Cisco_00:01:42            10.1.1.1

i.e. the first 3 octets are replaced with the manufacturer abbreviation as defined in the %WIRSHARK_INSTALL_DIR%\manuf file.

edit flag offensive delete link more

Comments

It makes one wonder why there are no src, dst or addr OUI filters available along with their fully resolved counterparts. Filters like eth.src.oui_resolved contains "Cisco" or eth.addr.oui_resolved ~ "Microsoft Corp". might then be possible. Possible new filters:

eth.src.oui
eth.src.oui_resolved
eth.dst.oui
eth.dst.oui_resolved
eth.addr.oui
eth.addr.oui_resolved

If this is a feature of interest, then I'd suggest opening up a Wireshark enhancement bug request for it at https://bugs.wireshark.org/bugzilla/.

cmaynard gravatar imagecmaynard ( 2018-11-14 20:38:52 +0000 )edit

Because you can already do that with eth.src_resolved and eth.dst_resolved?

Jaap gravatar imageJaap ( 2018-11-15 07:52:45 +0000 )edit

Those filters do not yield resolved OUI's. They give you a highly truncated resolved OUI, combined with the remaining 3 bytes of the MAC address, which isn't the same thing. There are a number of other filterable OUI fields, so it's somewhat surprising to me that there are no Ethernet filterable OUI fields.

$ tshark -G fields | grep OUI | wc -l
63
cmaynard gravatar imagecmaynard ( 2018-11-15 16:21:47 +0000 )edit

I was referring to filter expressions like eth.src_resolved contains "Cisco" are already possible.

I assume the prevailing use case is filtering on the actual OUI octets, such as eth.src[0:3] == 00:16:47

Jaap gravatar imageJaap ( 2018-11-15 18:06:17 +0000 )edit

Yes, that's true, but a filter such as eth.src_resolved contains "Cisco Systems" wouldn't work because the OUI name is truncated, nor would a filter such as eth.src_resolved == "Cisco Systems, Inc" or even eth.src_resolved ~ "Inc$" because of the extra 3 bytes of the MAC address included in that filter.

And you can't necessarily search very effectively for all "Cisco Systems, Inc" OUI's using a filter such as eth.src[0:3] == 00:16:47 considering the number of Cisco-assigned OUI's:

$ grep "Cisco Systems, Inc" manuf | wc -l
822
cmaynard gravatar imagecmaynard ( 2018-11-15 18:29:36 +0000 )edit

By the way, the longest manufacturer's name appears to be 88 characters in length, so if truncated names is to be avoided, the MAXNAMELEN may need to be increased to accommodate it or a different value defined specifically for manufacturer's names.

$ grep -v "^#" manuf | cut -f 3 | sort -u | awk '{print length, $0 }' | sort -n | tail -1
88 Beijing National Railway Research & Design Institute of Signal & Communication Co., Ltd.
cmaynard gravatar imagecmaynard ( 2018-11-15 19:19:27 +0000 )edit

Probably there's no need for filtering for eth.src_resolved == "Cisco Systems, Inc", as this would leave out about a 100 other Cisco related OUI's. Try grepping for "Cisco" in manuf.

That being said, I'm not against adding this to the ethernet address dissection, but I don't see a big demand for it either. Otherwise it would have been an obvious addition created years ago already.

Jaap gravatar imageJaap ( 2018-11-16 06:45:29 +0000 )edit

The filter for Cisco Systems, Inc was just one example to illustrate the point of a complete and exact OUI string match. Perhaps a better example to help drive the point home might be eth.src.oui_resolved == "Universal Global Scientific Industrial Co., Ltd." to isolate it from other irrelevant OUI's whose currently resolved names are all truncated to simply Universa, such as Universal Talkware Corporation, etc.

As for demand, I agree that there doesn't appear to be much of it, but Bug 3666 was opened long ago regarding a truncated resolved OUI name where @gerald-combs did mention in Comment 5:

I don't see why we wouldn't print the full manufacturer name, but it would probably be worth a discussion on wireshark-users to see if anyone depends on this.

In any case, it's not too important for me personally, but it might be a useful/interesting ...(more)

cmaynard gravatar imagecmaynard ( 2018-11-16 16:44:19 +0000 )edit

For what it's worth, bug 15300 and bug 15393 have been filed as a direct result of this question being asked.

cmaynard gravatar imagecmaynard ( 2019-01-03 21:42:37 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-11-14 17:56:05 +0000

Seen: 8,777 times

Last updated: Nov 15 '18