This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is needed is a end-of-day filter that displays the following. (IP, MAC addresses and Websites / domains visited) This is for a summary report for management. To be clear, the need is for ALL of this data not just the MAC address related data from One system. The visible illustrations of this subject seem to be focused on ONE MAC address instead of Everyone within the capture.

asked 01 Aug '15, 20:04

chasster123's gravatar image

chasster123
6112
accept rate: 0%

edited 02 Aug '15, 14:42

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


You can only see MAC addresses for systems that are on your network; that is, the network where the traffic was captured. So unless the web servers are all on your network, the only MAC address you will see will be for the router(s).

permanent link

answered 01 Aug '15, 20:21

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

OK, I need that list of MAC addresses, associated IP addresses and websites / domains visited by all internal systems.

(01 Aug '15, 20:57) chasster123

You could add a column for the MAC address and a custom column displaying the "http.host". That way your packet list will have all the details. Export that via "File" -> "Export Packet Dissections" -> "as CSV" and use Excel (or any other Spreadsheet application) to work with the results.

You could also leverage tshark with e.g. on a file called "HTTPSample.pcapng":

tshark -r "HTTPSample.pcapng" -Tfields -e eth.src -e ip.src -e http.host

which will give you something like this:

a8:60:00:16:7a:aa 192.168.0.1 00:0d:b9:21:95:18 10.10.10.10 a8:60:00:16:7a:aa 192.168.0.1 a8:60:00:16:7a:aa 192.168.0.1 www.tracewrangler.com 00:0d:b9:21:95:18 10.10.10.10 00:0d:b9:21:95:18 10.10.10.10 a8:60:00:16:7a:aa 192.168.0.1 00:0d:b9:21:95:18 10.10.10.10 00:0d:b9:21:95:18 10.10.10.10 a8:60:00:16:7a:aa 192.168.0.1 00:0d:b9:21:95:18 10.10.10.10 a8:60:00:16:7a:aa 192.168.0.1 a8:60:00:16:7a:aa 192.168.0.1 www.tracewrangler.com 00:0d:b9:21:95:18 10.10.10.10 a8:60:00:16:7a:aa 192.168.0.1 a8:60:00:16:7a:aa 192.168.0.1 00:0d:b9:21:95:18 10.10.10.10 00:0d:b9:21:95:18 10.10.10.10 a8:60:00:16:7a:aa 192.168.0.1

If that's too much, reduce it with sort and uniq, e.g. like this:

tshark -r "HTTPSample.pcapng" -Tfields -e eth.src -e ip.src -e http.host | sort | uniq

which gets you:

00:0d:b9:21:95:18 10.10.10.10 a8:60:00:16:7a:aa 192.168.0.1 a8:60:00:16:7a:aa 192.168.0.1 www.tracewrangler.com

You may have to install sort and uniq from a Unix tool collection if running this on Windows.

permanent link

answered 02 Aug '15, 06:38

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Great - lots of feedback. Found that I could create a New Expression (edit - preferences). On selecting it (http.host) I get a display of source & destination IP where destination is either an IP or domain name. Regarding "add a column for the MAC address" I've explored the Column Field Types and don't see MAC or the http.post reference. I do see the http.host icon on the main desktop and it works when selected. I've tried selecting "hardware src addr" but don't see a list of MAC addresses. Did verify that Ubuntu has uniq / sort available - have not explored the tshark process as yet.

Please expand on the column for the MAC address.

(02 Aug '15, 07:39) chasster123

Works for me, but you can always add a custom column with the column setting of "eth.src".

(02 Aug '15, 07:44) Jasper ♦♦

ref tshark, I get a file does not exist reference to "HTTPSample.pcapng". Tried altering the pcapng name - same results. Where dropping the pcapng reference I get a Tfields not specified error.

cs

(02 Aug '15, 08:20) chasster123

Sorry, I assumed you wanted to read an existing capture file, so I chose that name as an example. So capture first, then run tshark on the file you get.

(02 Aug '15, 08:30) Jasper ♦♦

This runs but no designated output file. tshark -Tfields -e eth.src -e ip.src -e http.host | sort | uniq

(02 Aug '15, 08:35) chasster123

changed -r to -w "-w HTTPSample.pcapng" and the output file is created. Opened the file in wireshark and see IP addresses but not the MAC numbers.

(02 Aug '15, 08:41) chasster123

Bingo. First you have to run with a -w to create the pcapng file. Then you run with a -r to read the pcapng file. Now I get the following from tshark and the above basic script. MAC IP Domain (or IP/port)

Will test more in a session that is using the Browser some to evaluate the result toward that of the goal of creating a report.

(02 Aug '15, 08:49) chasster123

@chasster123

Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information.

(02 Aug '15, 09:02) grahamb ♦

That's OK as you drove me in the right direction. I've opened the tshark file in wireshark but as yet don't see the MAC addresses so still exploring there.

(02 Aug '15, 09:24) chasster123

So now I have src / dst IP & MAC displaying in wireshark from the tshark pcap file. In the tshark display the domain name (name.com) is displayed as the 3rd column. In wireshark the domain name is displayed within the INFO column. Can the Info column be edited or replaced with another Display column showing Only the domain name?

(02 Aug '15, 10:36) chasster123
showing 5 of 10 show 5 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×157
×63

question asked: 01 Aug '15, 20:04

question was seen: 7,852 times

last updated: 02 Aug '15, 14:42

p​o​w​e​r​e​d by O​S​Q​A