This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Privacy mode for MAC addresses in tshark?

0

If I use

airodump-ng mon0 -w myfile --output-format cap

to capture network traffic, it shows (among others) the MAC address and the SSID in real time, and I can see them in plaintext. For example:

11:11:11:11:11:11 Device1
22:22:22:22:22:22 Device2

It furthermore stores the information in myfile-01.cap.

However, if I now use

tshark -r myfile-01.cap

to access the information stored in the file, for some MAC addresses the first part of it is "anonymized", like this:

11:11:11:11:11:11 Device1
HonHaiPr_22:22:22 Device2

Is this a privacy feature? If it is, according to which rules is this feature applied to a MAC address? Can I turn it off (or on for all MAC addresses)?

asked 03 Dec '14, 08:53

baukran's gravatar image

baukran
16115
accept rate: 0%

edited 03 Dec '14, 08:54


One Answer:

2

The first part of the MAC address is the vendor code and Wireshark is helpfully replacing the numeric value with the textual equivalent if the vendor is known from the list installed along with Wireshark. This can be controlled by using the Name Resolution preferences "Resolve MAC addresses" option.

answered 03 Dec '14, 10:04

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%