Hi, I am working on a project and I have the following commands to capture network traffic (using ICMP MAINLY). The commands are as follows:
At this point how do I get it to capture and siaplay MAC addresses of the traffic that is being captured. NEED COMMAND USING tshark as this will help me create my automation system for shutting down ports in a DoS attack. ALL HELP WILL BE MUCH APPRECIATED. THANKS IN ADVANCE asked 27 Mar '15, 08:48 naeemtania edited 27 Mar '15, 10:22 grahamb ♦ |
One Answer:
You'll need to add the fields for the mac addresses. Assuming you're using wired Ethernet, to find the field names open any capture in Wireshark, expand the protocol tree for the Ethernet II part, and select the Destination and Source fields in turn and look at the field description in the status bar at the bottom left. The field name will be in parentheses. So for Ethernet MAC addresses you need answered 27 Mar '15, 08:55 grahamb ♦ |
Hi,
Thanks a lot, make more sense to me however I can find the bit where I can add eth.dst and ets.src in a protocol tree.
Can you please tell me which option I need to go to in order to add the eth.dst and eth.src expressions for tshark.
Thanks a lot
Much appreciate
(ps. Not familiar with wireshark)
Just slot the extra fields into your command line. Using the line you posted in your question:
"C:\Program Files\Wireshark\tshark" -r C:\Temp\tsharkData -T fields -e frame.number -e ip.src -e ip.dst -e eth.src -e eth.dst -e frame.len -e frame.time -e frame.time_relative -E header=y -E separator=, > C:\Temp\tsharkData.txt