This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Get Vendor OUI with tshark

0

Hey experts, I'm analyzing traffic on some networks with dumpcap/tshark (Linux and command line environment). I would like to simply get the OUI info per MAC address listed in a CSV file, like:

aa:bb:cc:dd:11:22, VendorX

bb:cc:aa:44:55:44, VendorY

I know that a MAC -> OUI translation table exist in tshark as the OUI info can be displayed (with tons of other data) with for example the -V switch, but I just want the specific vemdor info and no other junk. Anyone who knows the trick? Have tried using the same read filter as is used in Wireshark, but it's not recognized by tshark.

Cheers, Sam

asked 01 Apr '17, 14:41

SamA's gravatar image

SamA
117713
accept rate: 0%


2 Answers:

1

You can use the field name eth.addr_resolved with a little post-processing, i.e.

tshark -r xxx.pcapng -T fields -e eth.addr_resolved

gives output like this:

Cisco-Li_78:70:c7,IntelCor_35:96:f0
IntelCor_35:96:f0,Cisco-Li_78:70:c7

so post processing could split at the "_".

There are analogous fields for the source and destination addresses; eth.src_resolved and eth.dst_resolved.

You might need to enable the preference for MAC address resolution; `-o nameres.mac_name:TRUE

answered 02 Apr '17, 04:31

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks for suggestions. Forgot to write that I'm doing WLAN capture. I think the thark command should look like this:

tshark -r xxx.pcap -T fields -e wlan.addr_resolved

However, nothing is printed. I capture the packets like this:

tshark -r xxx.pcap -T fields -e wlan.sa -e wlan.addr_resolved

Have tried with the -o switch that grahamb suggests, but it doesn't seem to exist. Also tried various -N switches (that's what the help file for tshark suggests) but still nothing is printed out. Any suggestions?

Cheers! Sam

(05 Apr '17, 10:56) SamA

Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.

(05 Apr '17, 13:49) Jaap ♦

0

Probably the best way to go about this is to post-process the tshark output into the form you need. You could select one of the more structured output types, like PDML or JSON, for this and feed that into your post processing script.

answered 02 Apr '17, 03:57

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%