This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do i watch resolved and unresolved MAC simultaneously?

0

how do i watch resolved and unresolved MAC simultaneously? all columns i add are either resolved or unresolved...

asked 27 Oct '11, 02:02

Daniil%20Kharkov's gravatar image

Daniil Kharkov
1111
accept rate: 0%


One Answer:

1

If you mean "how can I see both the resolved and unresolved MAC in the same column?", the answer is "you can't". Wireshark doesn't support that.

If you mean "how can I see both the resolved and unresolved MAC in different columns", the answer is "add one column for the resolved address and another column for the unresolved address".

answered 27 Oct '11, 18:45

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

The thing I realized when testing for Daniils question was that

  1. There is only resolved or unresolved MAC addresses depending on name resolution setting (both coloumns in 1.6.2 on my machine show the same results)
  2. There is the IP address being displayed in the coloumn as soon as there is an IP header in the frame

Is this wanted?

(28 Oct '11, 00:24) Landi

Is what wanted?

You can have "resolved", "unresolved", or unspecified columns; "resolved" and unspecified currently mean "show the resolved value if resolution is enabled and it could be resolved" (I think the intention was that "resolved" resolves regardless of whether resolution is enabled" and "unresolved" always shows the unresolved value.

You can have source or destination columns.

You can have the link-layer ("Hw") address, the network-layer address, or just an address, which is "network-layer if it has one, link-layer otherwise.

All of those can be selected independently.

(28 Oct '11, 02:13) Guy Harris ♦♦

I see same results in Hw src addr(resolved) and Hw src addr(unresolved), thats what I'm talking about ! Both coloumns just change from resolved to unresolved via name resolution setting in general on my current test setup with 1.6.2

(28 Oct '11, 02:25) Landi
1

Link-layer addresses are resolved by looking in the ethers file in the Wireshark install directory, if one exists, and in your Wireshark configuration directory, if it exists, and by Wireshark looking at ARP replies and associating whatever host name is found for the IP address with the corresponding Ethernet address. Without any information from those sources, it just shows the MAC address for a "resolved" address.

(28 Oct '11, 02:56) Guy Harris ♦♦