This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all,

I'm trying to solve a problem directly related with MAC address resolution in tshark. Our purpose is to be able to filter packages from specific brands, for instance Apple, Samsung, etc...

[http://ask.wireshark.org/questions/24314/possible-to-use-the-mac-info-in-the-wireshark-manuf-file-as-part-of-display-filter?page=1&focusedAnswerId=24607#24607][1]

First of all, we're getting the mac addresses but the MAC resolution doesn't work at all:

tshark version -> 1.10.2

sudo tshark -i wlan1 -N mntC -T fields -e wlan.sa

00:30:be:f9:90:89

...

No translation! Are we missing anything?

Thanks!

asked 25 Sep '13, 02:47

legramo's gravatar image

legramo
11236
accept rate: 0%

converted to question 25 Sep '13, 02:51

grahamb's gravatar image

grahamb ♦
19.8k330206

@legramo, please don't ask questions on the back of an existing one, just create a new question.

I've converted your "answer" to a new question.

(25 Sep '13, 02:52) grahamb ♦

Ok! i'll follow your advice next times

(15 Oct '13, 06:03) legramo

HINT: for a working solution: please see ++ UPDATE #2 ++

There are two things:

  1. You are looking at the MAC address in wlan.sa. I'm not sure if name resolution was implemented for that as well.

  2. You are referring to another question, where an enhancement was announced. However:

Since this would be considered a new feature, it's not going to be backported to 1.10 or 1.8, since no new features go into stable releases.

If that enhancement would solve your problem, you can't use it with 1.10.0 as the feature will not be backported. Please use the current build

http://www.wireshark.org/download/automated/

++ UPDATE ++

I just checked the latest release trunk autobuild (TShark 1.11.0-SVN-52212). Here is what I found

Name resolution works in tshark (-N m for MAC address, even for wlan.sa), however it does not work if used together with fields (-T fields).

MAC address resolution working:

tshark -nr input.pcap -N m -V

MAC address resolution not working:

tshark -nr input.pcap -N m -T fields -e eth.addr -e eth.src
tshark -nr wlan_input.pcap -N m -T fields -e wlan.sa

If you need that functionality, please file an enhancement bug at https://bugs.wireshark.org.

++ UPDATE #2 ++

I should have read my own comment on the question referred above ;-)

Please use these fields for resolved names:

    wlan.da_resolved
    wlan.sa_resolved
    wlan.ra_resolved
    wlan.ta_resolved
    wlan.bssid_resolved
    wlan.addr_resolved

    eth.src_resolved
    eth.dst_resolved
    eth.addr_resolved

Example:

tshark -nr input.pcap -N m -T fields -e eth.addr_resolved -e eth.src_resolved
tshark -nr wlan_input.pcap -N m -T fields -e wlan.sa_resolved

Regards
Kurt

permanent link

answered 25 Sep '13, 02:55

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 25 Sep '13, 12:38

Nit pick, the automated builds are not "releases", but snapshots of the latest development checkin that managed to produce a completed build. They may suffer from all sorts of bugs.

(25 Sep '13, 07:01) grahamb ♦

You are right. No release. I fixed the term in my answer.

(25 Sep '13, 07:30) Kurt Knochner ♦

When you use -T fields, you only get the explicitly requested fields, so if you want the resolved field, you have to explicitly ask for it, i.e, -e wlan.sa_resolved.

(25 Sep '13, 08:55) cmaynard ♦♦

I should have read my own comment in your answer (see question link above) ;-))) I fixed my answer.

(25 Sep '13, 12:19) Kurt Knochner ♦

this doesn't work wirh current version: eth.addr_resolved (and all otherxxx_resolved) field is always empty

(19 Feb '15, 05:39) eib

@eib, what version are you using?

(19 Feb '15, 06:06) grahamb ♦

@grahamb I'm using TShark 1.10.3 on centos

(19 Feb '15, 06:58) eib

So that's not a current version then, unfortunately folks on Redhat based distros really seem to be stuck with old versions. I'm not sure what is available for that version. I'll try to check and report back.

You can see what fields are supported by your version with tshark -G fields > fields.txt (I hope that works on 1.10.x). Note it's a big list hence the redirection.

(19 Feb '15, 07:20) grahamb ♦

@grahamb thanks for the hint. I have now built current version from sources and everything works..

(19 Feb '15, 11:24) eib
showing 5 of 9 show 4 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×157
×20

question asked: 25 Sep '13, 02:47

question was seen: 9,408 times

last updated: 19 Feb '15, 11:24

p​o​w​e​r​e​d by O​S​Q​A