What is needed is a end-of-day filter that displays the following. (IP, MAC addresses and Websites / domains visited) This is for a summary report for management. To be clear, the need is for ALL of this data not just the MAC address related data from One system. The visible illustrations of this subject seem to be focused on ONE MAC address instead of Everyone within the capture. asked 01 Aug '15, 20:04  chasster123 edited 02 Aug '15, 14:42  Guy Harris ♦♦ |
2 Answers:
You can only see MAC addresses for systems that are on your network; that is, the network where the traffic was captured. So unless the web servers are all on your network, the only MAC address you will see will be for the router(s). answered 01 Aug '15, 20:21  Jim Aragon |
You could add a column for the MAC address and a custom column displaying the "http.host". That way your packet list will have all the details. Export that via "File" -> "Export Packet Dissections" -> "as CSV" and use Excel (or any other Spreadsheet application) to work with the results. You could also leverage tshark with e.g. on a file called "HTTPSample.pcapng":
which will give you something like this:
If that's too much, reduce it with sort and uniq, e.g. like this:
which gets you:
You may have to install sort and uniq from a Unix tool collection if running this on Windows. answered 02 Aug '15, 06:38  Jasper ♦♦ Great - lots of feedback. Found that I could create a New Expression (edit - preferences). On selecting it (http.host) I get a display of source & destination IP where destination is either an IP or domain name. Regarding "add a column for the MAC address" I've explored the Column Field Types and don't see MAC or the http.post reference. I do see the http.host icon on the main desktop and it works when selected. I've tried selecting "hardware src addr" but don't see a list of MAC addresses. Did verify that Ubuntu has uniq / sort available - have not explored the tshark process as yet. Please expand on the column for the MAC address. (02 Aug '15, 07:39) chasster123 Works for me, but you can always add a custom column with the column setting of "eth.src". (02 Aug '15, 07:44) Jasper ♦♦ ref tshark, I get a file does not exist reference to "HTTPSample.pcapng". Tried altering the pcapng name - same results. Where dropping the pcapng reference I get a Tfields not specified error. cs (02 Aug '15, 08:20) chasster123 Sorry, I assumed you wanted to read an existing capture file, so I chose that name as an example. So capture first, then run tshark on the file you get. (02 Aug '15, 08:30) Jasper ♦♦ This runs but no designated output file. tshark -Tfields -e eth.src -e ip.src -e http.host | sort | uniq (02 Aug '15, 08:35) chasster123 changed -r to -w "-w HTTPSample.pcapng" and the output file is created. Opened the file in wireshark and see IP addresses but not the MAC numbers. (02 Aug '15, 08:41) chasster123 Bingo. First you have to run with a -w to create the pcapng file. Then you run with a -r to read the pcapng file. Now I get the following from tshark and the above basic script. MAC IP Domain (or IP/port) Will test more in a session that is using the Browser some to evaluate the result toward that of the goal of creating a report. (02 Aug '15, 08:49) chasster123 @chasster123 Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information. (02 Aug '15, 09:02) grahamb ♦ That's OK as you drove me in the right direction. I've opened the tshark file in wireshark but as yet don't see the MAC addresses so still exploring there. (02 Aug '15, 09:24) chasster123 So now I have src / dst IP & MAC displaying in wireshark from the tshark pcap file. In the tshark display the domain name (name.com) is displayed as the 3rd column. In wireshark the domain name is displayed within the INFO column. Can the Info column be edited or replaced with another Display column showing Only the domain name? (02 Aug '15, 10:36) chasster123 showing 5 of 10 show 5 more comments |
OK, I need that list of MAC addresses, associated IP addresses and websites / domains visited by all internal systems.