Hey experts, I'm analyzing traffic on some networks with dumpcap/tshark (Linux and command line environment). I would like to simply get the OUI info per MAC address listed in a CSV file, like: aa:bb:cc:dd:11:22, VendorX bb:cc:aa:44:55:44, VendorY I know that a MAC -> OUI translation table exist in tshark as the OUI info can be displayed (with tons of other data) with for example the -V switch, but I just want the specific vemdor info and no other junk. Anyone who knows the trick? Have tried using the same read filter as is used in Wireshark, but it's not recognized by tshark. Cheers, Sam asked 01 Apr '17, 14:41 SamA |
2 Answers:
You can use the field name
gives output like this:
so post processing could split at the "_". There are analogous fields for the source and destination addresses; You might need to enable the preference for MAC address resolution; `-o nameres.mac_name:TRUE answered 02 Apr '17, 04:31 grahamb ♦ |
Probably the best way to go about this is to post-process the tshark output into the form you need. You could select one of the more structured output types, like PDML or JSON, for this and feed that into your post processing script. answered 02 Apr '17, 03:57 Jaap ♦ |
Thanks for suggestions. Forgot to write that I'm doing WLAN capture. I think the thark command should look like this:
However, nothing is printed. I capture the packets like this:
Have tried with the -o switch that grahamb suggests, but it doesn't seem to exist. Also tried various -N switches (that's what the help file for tshark suggests) but still nothing is printed out. Any suggestions?
Cheers! Sam
Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.