This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark won’t display eth.addr

0

Here's my command:

tshark -i iface -o wlan.enable_decryption:TRUE -2 -R ip -T fields -e eth.dst -e ip.src -e ip.len

Actually the -R is "ip && !ip == 192.168.0.0/24" but the code display here seems bent on replacing '&' with html entities.

Anyway, I have WPA credentials in ~/.wireshark/80211_keys and this works for nodes that subsequently connect to the network, but the first field (eth.dst) is always blank. I've also tried eth.addr, same thing.

How can I get what I want here, namely, the destination MAC address, the IP source address, and the packet length?

asked 21 Apr '15, 12:40

mk27's gravatar image

mk27
21337
accept rate: 0%


One Answer:

1

but the first field (eth.dst) is always blank. I've also tried eth.addr, same thing.

which is totally normal, if you are looking at wifi/wlan traffic, as it does not have an ethernet header.

Please try one of the following fields:

-e wlan.addr -e wlan.ra -e wlan.sa -e wlan.ta -e wlan.da

For more details, please check the following link:

https://www.wireshark.org/docs/dfref/w/wlan.html

Regards
Kurt

answered 21 Apr '15, 14:00

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%