In the attached test.pcapng file Ethernet source address of all packets should cyclically change from 0 to 3 in the first byte like that:
I see these addresses properly in my program, but Wireshark shows them incorrectly:
and also for reason I don't understand why it specifically displays the "NETBIOS-" word for the packets with 03.00.00.00.01 address and not for others. I think that either it should not display this word (preferably) or should display it for all packets in the same way. asked 05 Sep '14, 11:33  Ravil edited 11 Sep '14, 11:40 |
One Answer:
Let's take the second problem first. Click on "View" > "Name Resolution" and then uncheck "Enable for MAC Layer" if you don't want to see that. No, it should not display it for all packets. Wireshark is attempting to display the friendly name for the OUI (Organizational Unit Identifier), which is the first three bytes of the MAC address. Since the first three bytes are different, Wireshark should not display the same thing for all packets. I suggest opening the manuf file, which is in the Wireshark program files directory, searching for "NETBIOS-" (which you will find down on line 24,869) and read the note immediately above. And now for the first problem: You seem to have encountered a Wireshark display bug. If you turn off MAC address name resolution, as I suggest above, it will also fix this problem. answered 05 Sep '14, 12:23  Jim Aragon Yes, exactly! The problem is solved. Thank you! (05 Sep '14, 12:34) Ravil |
With which version of Wireshark does this happen? The MAC addresses look OK when I read it with a version built recently from the trunk and with 1.12.0.
I see it on both 1.12.0 and 1.10.9. MAC address name resolution has to be on to see the error, otherwise the MAC address displays correctly.
This is probably another side effect of bug https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10344 that is fixed in the upcoming 1.12.1 and 1.10.10 releases.