This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MAC (reverse) name resolution in tshark

1

Hi,

I have few MAC addresses where the OUI portions have been resolved: e.g. Intel_05:04:03.

Is it possible to use tshark to get the actual MAC address for each of my “name resolved” address? E.g. get 02:A0:C9:05:04:03 from Intel_05:04:03?

If this is not possible with tshark, what would would be the easiest way to achieve this on a linux host?

Many thanks.

asked 03 Jun '13, 23:52

wsblvd's gravatar image

wsblvd
21114
accept rate: 0%


3 Answers:

3

Using the unresolved and resolved hw address as columns would do the trick, however, it seems that there is a bug that prevents simultaneous diplay of the resolved and unresolved addresses:

$ ./tshark -lr ../pcap/http.cap -o column.format:"rhs","%rhs","uhs","%uhs" | sort | uniq
Apple_d8:87:48 Apple_d8:87:48
JuniperN_bb:d1:3b JuniperN_bb:d1:3b
$

I will have a look at why this is...

answered 04 Jun '13, 12:40

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

2

Fixed in revision 49776 which will be included in the next 1.8 release.

$ ./tshark -lr clean-test02.cap -o column.format:"rhs","%rhs","uhs","%uhs" | sort | uniq
Cisco_8f:2c:95 00:19:2f:8f:2c:95
Cisco_fe:1b:02 00:0b:fc:fe:1b:02
Dell_fc:92:7d 00:1e:4f:fc:92:7d
$
(04 Jun '13, 14:51) SYN-bit ♦♦

BTW Once Wireshark has resolved the mac-address, there is no (guaranteed) way back, as multiple OUI's can point to the same vendor. See the example in my last comment where both 00:19:2f:xx:xx:xx and 00:0b:fc:xx:xx:xx resolved to "Cisco".

(04 Jun '13, 14:54) SYN-bit ♦♦

Many thanks for the help.

(05 Jun '13, 05:53) wsblvd

Hi both, i'm getting a similar problem... would you mind to take a look to this other thread?Thanks in advance!

http://ask.wireshark.org/questions/26001/show-untranslated-and-translated-mac-addresses-in-different-columns-at-the-time

(15 Oct '13, 07:01) legramo

0

You can turn MAC resolution off, edit->preferences->name resolution, untick resolve MAC addresses.

answered 04 Jun '13, 03:29

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Many thanks for the suggestions but I already have these addresses that have been “resolved”. What can be done to get the actual MAC address? I was wondering if there was a convenient way to get the Ethernet manufacturer codes of these addresses without having to search /etc/manuf.

(04 Jun '13, 12:13) wsblvd

Oh, yeah, in that case you'd have to reverse-map them from (preferably) Wireshark's manuf file. You'd have to do that manually or (more likely) write a script to do it.

Wireshark's manuf file is in /usr/share/wireshark/manuf (assuming Wireshark was installed in /usr).

(04 Jun '13, 12:27) JeffMorriss ♦

Many thanks Jeff.

(05 Jun '13, 05:55) wsblvd

0

You can also control whether this resolution happens in the first place with tshark's "-N" option (see the man page for details).

answered 04 Jun '13, 06:21

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%