This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark disable MAC resolution (resolver)

0

I'm running Tshark to test for WiFi probes but sometimes I get instead of 40:0e:85:02:6a:a6 a Apple_df:76:88. Is there any way to get the REAL Mac instead of the resolved MAC? I already tried column.format with "%uhs" but this does not seem to work?

Is there any way to disable this MAC lookup/resolution in the output of tshark?

asked 05 May '15, 06:51

sudohenk's gravatar image

sudohenk
11114
accept rate: 0%

One Answer:

1

You should be able to disable MAC address resolution by either turning it off in Wireshark (Edit -> Preferences -> Name Resolution -> Resolve MAC addresses) or by specifying the "-o nameres.mac_name:FALSE" option on the tshark command-line.

answered 05 May '15, 07:03

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%