This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

If I use

airodump-ng mon0 -w myfile --output-format cap

to capture network traffic, it shows (among others) the MAC address and the SSID in real time, and I can see them in plaintext. For example:

11:11:11:11:11:11 Device1
22:22:22:22:22:22 Device2

It furthermore stores the information in myfile-01.cap.

However, if I now use

tshark -r myfile-01.cap

to access the information stored in the file, for some MAC addresses the first part of it is "anonymized", like this:

11:11:11:11:11:11 Device1
HonHaiPr_22:22:22 Device2

Is this a privacy feature? If it is, according to which rules is this feature applied to a MAC address? Can I turn it off (or on for all MAC addresses)?

asked 03 Dec '14, 08:53

baukran's gravatar image

baukran
16115
accept rate: 0%

edited 03 Dec '14, 08:54


The first part of the MAC address is the vendor code and Wireshark is helpfully replacing the numeric value with the textual equivalent if the vendor is known from the list installed along with Wireshark. This can be controlled by using the Name Resolution preferences "Resolve MAC addresses" option.

permanent link

answered 03 Dec '14, 10:04

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×40
×1

question asked: 03 Dec '14, 08:53

question was seen: 1,550 times

last updated: 03 Dec '14, 10:04

p​o​w​e​r​e​d by O​S​Q​A