Wireshark-users: Re: [Wireshark-users] Extracting outer MAC Address

From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 19 Jan 2015 15:03:42 +0100
You can make tshark print only the outer mac-address with :

tshark -r file.pcap -T fields -E occurrence=f -e eth.src -w output.pcap

BTW, using -w output.pcap will save the packets in binary form to output.pcap . If you want to save the list of mac-addresses, you should use:

tshark -r file.pcap -T fields -E occurrence=f -e eth.src > output.txt


From "tshark -h":

  -e <field>               field to print if -Tfields selected (e.g. tcp.port,
                           _ws.col.Info)
                           this option can be repeated to print multiple fields
  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as
                           aggregator
     quote=d|s|n           select double, single, no quotes for values

Cheers,
Sake


On 19 jan 2015, at 09:16, Rayne wrote:

> I realized that the tshark command actually extracts both MAC addresses, and because I know what the outer MAC address should look like (OUI), I can essentially get the outer MAC address by doing a grep. Thanks for the suggestions, Jim and Guy!
> 
> From: Jim Young <jyoung@xxxxxxx>
> To: Rayne <hjazz6@xxxxxxxxx>; Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> 
> Sent: Monday, January 19, 2015 3:35 PM
> Subject: Re: [Wireshark-users] Extracting outer MAC Address
> 
> Hello Rayne,
> 
> 
> 
> On Monday, January 19, 2015 1:58 AM, Rayne <hjazz6@xxxxxxxxx> wrote:
> 
> >I see 2 full Ethernet headers in Wireshark - Ethernet with Source/Dest
> >MAC address, IPv4, EtherIP Version 4, Ethernet with Source/Dest address,
> >802.1Q VLAN, IP.
> >
> >Wireshark can dissect it.
> 
> 
> Is is possible to attach a small example capture file of what you are
> looking at? One packet should do.
> 
> Your description does not sound exactly like like the following, but there
> are encapsulating protocols such as IEEE 802.1ah-2008, Provider Backbone
> Bridge (http://en.wikipedia.org/wiki/IEEE_802.1ah-2008) that do MAC-in-MAC
> style encapsulation.
> 
> 
> Assuming Wireshark recognizes your packet as something like an IEEE
> 802.1ah packet there might be a protocol specific display filter that
> could get you the "outer" header's source mac value you seek.
> 
> Regards,
> 
> Jim Y.
> 
> 
> 
> 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe