You can make tshark print only the outer mac-address with :
tshark -r file.pcap -T fields -E occurrence=f -e eth.src -w output.pcap
BTW, using -w output.pcap will save the packets in binary form to output.pcap . If you want to save the list of mac-addresses, you should use:
tshark -r file.pcap -T fields -E occurrence=f -e eth.src > output.txt
From "tshark -h":
-e <field> field to print if -Tfields selected (e.g. tcp.port,
_ws.col.Info)
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
Cheers,
Sake
On 19 jan 2015, at 09:16, Rayne wrote:
> I realized that the tshark command actually extracts both MAC addresses, and because I know what the outer MAC address should look like (OUI), I can essentially get the outer MAC address by doing a grep. Thanks for the suggestions, Jim and Guy!
>
> From: Jim Young <
jyoung@xxxxxxx>
> To: Rayne <
hjazz6@xxxxxxxxx>; Community support list for Wireshark <
wireshark-users@xxxxxxxxxxxxx>
> Sent: Monday, January 19, 2015 3:35 PM
> Subject: Re: [Wireshark-users] Extracting outer MAC Address
>
> Hello Rayne,
>
>
>
> On Monday, January 19, 2015 1:58 AM, Rayne <
hjazz6@xxxxxxxxx> wrote:
>
> >I see 2 full Ethernet headers in Wireshark - Ethernet with Source/Dest
> >MAC address, IPv4, EtherIP Version 4, Ethernet with Source/Dest address,
> >802.1Q VLAN, IP.
> >
> >Wireshark can dissect it.
>
>
> Is is possible to attach a small example capture file of what you are
> looking at? One packet should do.
>
> Your description does not sound exactly like like the following, but there
> are encapsulating protocols such as IEEE 802.1ah-2008, Provider Backbone
> Bridge (
http://en.wikipedia.org/wiki/IEEE_802.1ah-2008) that do MAC-in-MAC
> style encapsulation.
>
>
> Assuming Wireshark recognizes your packet as something like an IEEE
> 802.1ah packet there might be a protocol specific display filter that
> could get you the "outer" header's source mac value you seek.
>
> Regards,
>
> Jim Y.
>
>
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <
wireshark-users@xxxxxxxxxxxxx>
> Archives:
http://www.wireshark.org/lists/wireshark-users> Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users> mailto:
wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe