This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MAC address resolution in tshark

0

Hi all,

I'm trying to solve a problem directly related with MAC address resolution in tshark. Our purpose is to be able to filter packages from specific brands, for instance Apple, Samsung, etc...

[http://ask.wireshark.org/questions/24314/possible-to-use-the-mac-info-in-the-wireshark-manuf-file-as-part-of-display-filter?page=1&focusedAnswerId=24607#24607][1]

First of all, we're getting the mac addresses but the MAC resolution doesn't work at all:

tshark version -> 1.10.2

sudo tshark -i wlan1 -N mntC -T fields -e wlan.sa

00:30:be:f9:90:89

...

No translation! Are we missing anything?

Thanks!

asked 25 Sep '13, 02:47

legramo's gravatar image

legramo
11236
accept rate: 0%

converted to question 25 Sep '13, 02:51

grahamb's gravatar image

grahamb ♦
19.8k330206

@legramo, please don't ask questions on the back of an existing one, just create a new question.

I've converted your "answer" to a new question.

(25 Sep '13, 02:52) grahamb ♦

Ok! i'll follow your advice next times

(15 Oct '13, 06:03) legramo

One Answer:

2

HINT: for a working solution: please see ++ UPDATE #2 ++

There are two things:

  1. You are looking at the MAC address in wlan.sa. I'm not sure if name resolution was implemented for that as well.

  2. You are referring to another question, where an enhancement was announced. However:

Since this would be considered a new feature, it's not going to be backported to 1.10 or 1.8, since no new features go into stable releases.

If that enhancement would solve your problem, you can't use it with 1.10.0 as the feature will not be backported. Please use the current build

http://www.wireshark.org/download/automated/

++ UPDATE ++

I just checked the latest release trunk autobuild (TShark 1.11.0-SVN-52212). Here is what I found

Name resolution works in tshark (-N m for MAC address, even for wlan.sa), however it does not work if used together with fields (-T fields).

MAC address resolution working:

tshark -nr input.pcap -N m -V

MAC address resolution not working:

tshark -nr input.pcap -N m -T fields -e eth.addr -e eth.src
tshark -nr wlan_input.pcap -N m -T fields -e wlan.sa

If you need that functionality, please file an enhancement bug at https://bugs.wireshark.org.

++ UPDATE #2 ++

I should have read my own comment on the question referred above ;-)

Please use these fields for resolved names:

    wlan.da_resolved
    wlan.sa_resolved
    wlan.ra_resolved
    wlan.ta_resolved
    wlan.bssid_resolved
    wlan.addr_resolved
eth.src_resolved
eth.dst_resolved
eth.addr_resolved</code></pre><p>Example:</p><blockquote><p>tshark -nr input.pcap -N m -T fields -e <strong>eth.addr_resolved</strong> -e <strong>eth.src_resolved</strong><br />

tshark -nr wlan_input.pcap -N m -T fields -e wlan.sa_resolved

Regards
Kurt

answered 25 Sep ‘13, 02:55

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 25 Sep ‘13, 12:38

Nit pick, the automated builds are not “releases”, but snapshots of the latest development checkin that managed to produce a completed build. They may suffer from all sorts of bugs.

(25 Sep ‘13, 07:01) grahamb ♦

You are right. No release. I fixed the term in my answer.

(25 Sep ‘13, 07:30) Kurt Knochner ♦

When you use -T fields, you only get the explicitly requested fields, so if you want the resolved field, you have to explicitly ask for it, i.e, -e wlan.sa_resolved.

(25 Sep ‘13, 08:55) cmaynard ♦♦

I should have read my own comment in your answer (see question link above) ;-))) I fixed my answer.

(25 Sep ‘13, 12:19) Kurt Knochner ♦

this doesn’t work wirh current version: eth.addr_resolved (and all otherxxx_resolved) field is always empty

(19 Feb ‘15, 05:39) eib

@eib, what version are you using?

(19 Feb ‘15, 06:06) grahamb ♦

@grahamb I’m using TShark 1.10.3 on centos

(19 Feb ‘15, 06:58) eib

So that’s not a current version then, unfortunately folks on Redhat based distros really seem to be stuck with old versions. I’m not sure what is available for that version. I’ll try to check and report back.

You can see what fields are supported by your version with tshark -G fields > fields.txt (I hope that works on 1.10.x). Note it’s a big list hence the redirection.

(19 Feb ‘15, 07:20) grahamb ♦

@grahamb thanks for the hint. I have now built current version from sources and everything works..

(19 Feb ‘15, 11:24) eib
showing 5 of 9 show 4 more comments