This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Show untranslated and translated mac addresses in different columns at the time

0

Hi all,

Tshark mac address translation works pretty fine, but somehow if i wanna get translated && untranslated mac addresses in 2 different columns (as SYN-bit within the below link) it doesn't work.

Related link

On one hand it shows only mac untranslated mac addresses:

$ ./tshark -i wlan1 -Nn -o column.format:'"Unres","%us","Res","%rs"'

74:de:2b:94:b4:cf 74:de:2b:94:b4:cf


c8:d7:19:ed:d5:38 c8:d7:19:ed:d5:38


74:de:2b:94:b4:cf 74:de:2b:94:b4:cf

On the other hand it shows only mac untranslated mac addresses:

$ ./tshark -i wlan1 -o column.format:'"Unres","%us","Res","%rs"'


LiteonTe_94:b4:cf LiteonTe_94:b4:cf


CiscoCon_ed:d5:38 CiscoCon_ed:d5:38


TrapezeN_94:b4:cf TrapezeN_94:b4:cf

Actually the output that i’m looking for should be as below:

LiteonTe_94:b4:cf 74:de:2b:94:b4:cf


CiscoCon_ed:d5:38 c8:d7:19:ed:d5:38


TrapezeN_94:b4:cf c9:e4:32:94:b4:cf

I’ve been checking tshark man page, and it especifies how to translate or not (including -N m), but my questions is: how to show untranslated and translated content in different columns at the same time? Any advice about how to manage it?

Thanks in advance

asked 15 Oct ‘13, 06:59

legramo's gravatar image

legramo
11236
accept rate: 0%

One Answer:

0

You don't say which version you're using, but using the very latest version (1.11.0 built from source), this works:

tshark -r sample.pcap -o column.format:'"unres","%uhs","res","%rhs"'

Note that the "h" in "uhs" specifies a hardware address -- in other words, the MAC address.

answered 15 Oct '13, 07:41

beroset's gravatar image

beroset
2261213
accept rate: 33%

I'm using TShark 1.8.2 (not 1.11.0) due to some problems installing the last Tshark version within a Raspberry Pi:

Linux raspberrypi 3.2.27+ armv6l GNU/Linux

Have you tried to do it without sample.pcap? I mean:

./tshark -i wlan1 -o column.format:'"Unres","%us","Res","%rs"'

(15 Oct '13, 08:19) legramo

Yes, I have tried it just now with the default device (Ethernet in my case) as:

tshark -o column.format:'"Unres","%uhs","Res","%rhs"'

It should be noted that although this works with 1.11.0, the preferred form is with "gui.column.format" instead of "column.format" due to some renaming that has been done recently to improve consistency.

(15 Oct '13, 08:28) beroset

... except that there's nothing graphical about tshark, so maybe gui.column.format should be changed to ui.column.format so it's more generic and applicable to either the graphical or command-line user interfaces. A discussion for wireshark-dev maybe ...

(15 Oct '13, 08:45) cmaynard ♦♦

By the way, starting with r51742, which will be part of 1.11.0 when it's released, you can also add new custom columns in Wireshark for the following fields:

  • eth.dst_resolved
  • eth.src_resolved
  • eth.addr_resolved
  • wlan.da_resolved
  • wlan.sa_resolved
  • wlan.addr_resolved
  • wlan.ra_resolved
  • wlan.ta_resolved
  • wlan.bssid_resolved

Tshark will then display these columns when the -P option is specified, and you won't need to use -o column.format. I'm not sure which would method would be easier for you or preferred, but at least you'd have the choice.

See also: this question.

(15 Oct '13, 09:50) cmaynard ♦♦