Wireshark-users: Re: [Wireshark-users] Extracting outer MAC Address

From: Rayne <hjazz6@xxxxxxxxx>
Date: Tue, 20 Jan 2015 01:12:08 +0000 (UTC)
Thank you very much! I'll use this tshark command in future.


From: Sake Blok <sake@xxxxxxxxxx>
To: Rayne <hjazz6@xxxxxxxxx>; Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Monday, January 19, 2015 10:03 PM
Subject: Re: [Wireshark-users] Extracting outer MAC Address

You can make tshark print only the outer mac-address with :

tshark -r file.pcap -T fields -E occurrence=f -e eth.src -w output.pcap

BTW, using -w output.pcap will save the packets in binary form to output.pcap . If you want to save the list of mac-addresses, you should use:

tshark -r file.pcap -T fields -E occurrence=f -e eth.src > output.txt


From "tshark -h":

  -e <field>              field to print if -Tfields selected (e.g. tcp.port,
                          _ws.col.Info)
                          this option can be repeated to print multiple fields
  -E<fieldsoption>=<value> set options for output when -Tfields selected:
    header=y|n            switch headers on and off
    separator=/t|/s|<char> select tab, space, printable character as separator
    occurrence=f|l|a      print first, last or all occurrences of each field
    aggregator=,|/s|<char> select comma, space, printable character as
                          aggregator
    quote=d|s|n          select double, single, no quotes for values

Cheers,
Sake


On 19 jan 2015, at 09:16, Rayne wrote:

> I realized that the tshark command actually extracts both MAC addresses, and because I know what the outer MAC address should look like (OUI), I can essentially get the outer MAC address by doing a grep. Thanks for the suggestions, Jim and Guy!
>
> From: Jim Young <jyoung@xxxxxxx>
> To: Rayne <hjazz6@xxxxxxxxx>; Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
> Sent: Monday, January 19, 2015 3:35 PM
> Subject: Re: [Wireshark-users] Extracting outer MAC Address
>
> Hello Rayne,
>
>
>
> On Monday, January 19, 2015 1:58 AM, Rayne <hjazz6@xxxxxxxxx> wrote:
>
> >I see 2 full Ethernet headers in Wireshark - Ethernet with Source/Dest
> >MAC address, IPv4, EtherIP Version 4, Ethernet with Source/Dest address,
> >802.1Q VLAN, IP.
> >
> >Wireshark can dissect it.
>
>
> Is is possible to attach a small example capture file of what you are
> looking at? One packet should do.
>
> Your description does not sound exactly like like the following, but there
> are encapsulating protocols such as IEEE 802.1ah-2008, Provider Backbone
> Bridge (http://en.wikipedia.org/wiki/IEEE_802.1ah-2008) that do MAC-in-MAC
> style encapsulation.
>
>
> Assuming Wireshark recognizes your packet as something like an IEEE
> 802.1ah packet there might be a protocol specific display filter that
> could get you the "outer" header's source mac value you seek.
>
> Regards,
>
> Jim Y.
>
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe