Unique IP - MAC Map from PCAP

Question

I'm trying to get a list of unique IP-MAC mapping from a PCAP file. There are several answers to similar questions but none of them actually meet this exactly. I've tried for example this:

tshark -r ~/Downloads/smallFlows.pcap -T fields -e eth.src -e ip.src -e eth.dst -e ip.dst

Which will list all IP-MAC but there will be duplicates. Piping it into uniq as suggested elsewhere will not work (even duplicate entries will appear on unique lines).

Ideally the output I'm looking for would be two columns, IP and MAC, of every single device in the capture (regardless of whether it's src or dst). Is this possible with the command line or will it require some scripting?

Answer 1

I think this will require some scripting, because of the duplicates you'll get. IP to MAC relationships can be 1-1, 1-n, n-1, and maybe even n-n, so tshark is not enough - you need some sort of database to track what you've seen and correlate things.

Answer 2

I'm trying to get a list of unique IP-MAC mapping

O.K. if you want that, you are probably just interested in the MAC address that is "tied" to an IP address. You won't neccesarily see that with your approach.

Reason:

it will work, if the systems communicate directly!

   MAC1:IP1 ---> IP2:MAC2

It won't work, if the systems communicate through a router

   MAC1:IP1 ---> Router:MACR ---> IP2:MAC2

Furthermore, if you are printing SRC and DST at the same time (some output line), you will get much more (useless) combinations, which makes using uniq harder.

My suggestion:

tshark -nr input.pcap -T fields -e eth.src -e ip.src | uniq > out1
tshark -nr input.pcap -T fields -e eth.dst -e ip.dst | uniq > out2
cat out1 out2 | sort -u > out3

This should bring up only the unique combinations. If you are communicating through a router, you will see the MAC address of the router many times for different IP addresses.

Regards
Kurt