Hi all, I'm trying to solve a problem directly related with MAC address resolution in tshark. Our purpose is to be able to filter packages from specific brands, for instance Apple, Samsung, etc... First of all, we're getting the mac addresses but the MAC resolution doesn't work at all: tshark version -> 1.10.2
00:30:be:f9:90:89 ... No translation! Are we missing anything? Thanks! asked 25 Sep '13, 02:47 legramo converted to question 25 Sep '13, 02:51 grahamb ♦ |
One Answer:
HINT: for a working solution: please see ++ UPDATE #2 ++ There are two things:
If that enhancement would solve your problem, you can't use it with 1.10.0 as the feature will not be backported. Please use the current build ++ UPDATE ++ I just checked the latest Name resolution works in tshark (-N m for MAC address, even for wlan.sa), however it does not work if used together with fields (-T fields). MAC address resolution working:
MAC address resolution not working:
If you need that functionality, please file an enhancement bug at https://bugs.wireshark.org. ++ UPDATE #2 ++ I should have read my own comment on the question referred above ;-) Please use these fields for resolved names:
answered 25 Sep ‘13, 02:55 Kurt Knochner ♦ edited 25 Sep ‘13, 12:38 Nit pick, the automated builds are not “releases”, but snapshots of the latest development checkin that managed to produce a completed build. They may suffer from all sorts of bugs. (25 Sep ‘13, 07:01) grahamb ♦ You are right. No release. I fixed the term in my answer. (25 Sep ‘13, 07:30) Kurt Knochner ♦ When you use (25 Sep ‘13, 08:55) cmaynard ♦♦ I should have read my own comment in your answer (see question link above) ;-))) I fixed my answer. (25 Sep ‘13, 12:19) Kurt Knochner ♦ this doesn’t work wirh current version: eth.addr_resolved (and all otherxxx_resolved) field is always empty (19 Feb ‘15, 05:39) eib @eib, what version are you using? (19 Feb ‘15, 06:06) grahamb ♦ @grahamb I’m using TShark 1.10.3 on centos (19 Feb ‘15, 06:58) eib So that’s not a current version then, unfortunately folks on Redhat based distros really seem to be stuck with old versions. I’m not sure what is available for that version. I’ll try to check and report back. You can see what fields are supported by your version with (19 Feb ‘15, 07:20) grahamb ♦ @grahamb thanks for the hint. I have now built current version from sources and everything works.. (19 Feb ‘15, 11:24) eib showing 5 of 9 show 4 more comments |
@legramo, please don't ask questions on the back of an existing one, just create a new question.
I've converted your "answer" to a new question.
Ok! i'll follow your advice next times