This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I am working on a project and I have the following commands to capture network traffic (using ICMP MAINLY).

The commands are as follows:

"C://Program Files/Wireshark/tshark" -i "Local Area Connection" -a duration:10 -w C://Temp/tsharkData

"C://Program Files/Wireshark/tshark" -r C:\Temp\tsharkData -T fields -e frame.number -e ip.src -e ip.dst -e frame.len -e frame.time -e frame.time_relative -E header=y -E separator=, > C:\\Temp\tsharkData.txt (THIS IS TO CONVERT THE RAW DATA TO HUMAN READABLE FORMAT)

At this point how do I get it to capture and siaplay MAC addresses of the traffic that is being captured.

NEED COMMAND USING tshark as this will help me create my automation system for shutting down ports in a DoS attack.

ALL HELP WILL BE MUCH APPRECIATED.

THANKS IN ADVANCE

asked 27 Mar '15, 08:48

naeemtania's gravatar image

naeemtania
5112
accept rate: 0%

edited 27 Mar '15, 10:22

grahamb's gravatar image

grahamb ♦
19.8k330206


You'll need to add the fields for the mac addresses.

Assuming you're using wired Ethernet, to find the field names open any capture in Wireshark, expand the protocol tree for the Ethernet II part, and select the Destination and Source fields in turn and look at the field description in the status bar at the bottom left. The field name will be in parentheses. So for Ethernet MAC addresses you need eth.dst and eth.src and they can be added to your command line as additional -e options

permanent link

answered 27 Mar '15, 08:55

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi,

Thanks a lot, make more sense to me however I can find the bit where I can add eth.dst and ets.src in a protocol tree.

Can you please tell me which option I need to go to in order to add the eth.dst and eth.src expressions for tshark.

Thanks a lot

Much appreciate

(ps. Not familiar with wireshark)

(27 Mar '15, 09:28) naeemtania

Just slot the extra fields into your command line. Using the line you posted in your question:

"C:\Program Files\Wireshark\tshark" -r C:\Temp\tsharkData -T fields -e frame.number -e ip.src -e ip.dst -e eth.src -e eth.dst -e frame.len -e frame.time -e frame.time_relative -E header=y -E separator=, > C:\Temp\tsharkData.txt

(27 Mar '15, 10:21) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×33

question asked: 27 Mar '15, 08:48

question was seen: 3,139 times

last updated: 27 Mar '15, 10:22

p​o​w​e​r​e​d by O​S​Q​A