This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark to capture MAC ADDRESSES as well as src and dst ip addresses

0

Hi,

I am working on a project and I have the following commands to capture network traffic (using ICMP MAINLY).

The commands are as follows:

"C://Program Files/Wireshark/tshark" -i "Local Area Connection" -a duration:10 -w C://Temp/tsharkData

"C://Program Files/Wireshark/tshark" -r C:\Temp\tsharkData -T fields -e frame.number -e ip.src -e ip.dst -e frame.len -e frame.time -e frame.time_relative -E header=y -E separator=, > C:\\Temp\tsharkData.txt (THIS IS TO CONVERT THE RAW DATA TO HUMAN READABLE FORMAT)

At this point how do I get it to capture and siaplay MAC addresses of the traffic that is being captured.

NEED COMMAND USING tshark as this will help me create my automation system for shutting down ports in a DoS attack.

ALL HELP WILL BE MUCH APPRECIATED.

THANKS IN ADVANCE

asked 27 Mar '15, 08:48

naeemtania's gravatar image

naeemtania
5112
accept rate: 0%

edited 27 Mar '15, 10:22

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

You'll need to add the fields for the mac addresses.

Assuming you're using wired Ethernet, to find the field names open any capture in Wireshark, expand the protocol tree for the Ethernet II part, and select the Destination and Source fields in turn and look at the field description in the status bar at the bottom left. The field name will be in parentheses. So for Ethernet MAC addresses you need eth.dst and eth.src and they can be added to your command line as additional -e options

answered 27 Mar '15, 08:55

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi,

Thanks a lot, make more sense to me however I can find the bit where I can add eth.dst and ets.src in a protocol tree.

Can you please tell me which option I need to go to in order to add the eth.dst and eth.src expressions for tshark.

Thanks a lot

Much appreciate

(ps. Not familiar with wireshark)

(27 Mar '15, 09:28) naeemtania

Just slot the extra fields into your command line. Using the line you posted in your question:

"C:\Program Files\Wireshark\tshark" -r C:\Temp\tsharkData -T fields -e frame.number -e ip.src -e ip.dst -e eth.src -e eth.dst -e frame.len -e frame.time -e frame.time_relative -E header=y -E separator=, > C:\Temp\tsharkData.txt

(27 Mar '15, 10:21) grahamb ♦