Wireshark-users: Re: [Wireshark-users] Extracting outer MAC Address
From: Evan Huus <eapache@xxxxxxxxx>
Date: Tue, 20 Jan 2015 08:49:21 -0500
On Tue, Jan 20, 2015 at 12:25 AM, Rayne <hjazz6@xxxxxxxxx> wrote: > > Is the "-E occurrence=f" option only available for certain versions of > tshark? I just tried it and I got the error message: > > "occurrence" is not a valid field output option=pair. > The available options for field output "E" are: > header=y|n Print field abbreviations as first line of output (def: N: no) > separator=/t|/s|<character> Set the separator to ise; "/t" = tab, "/s" = > space (def: /t: tab) > quote=d|s|n Print either d: double-quotes, s: single-quotes or n: no > quotes around field values (def: n: none) > > I'm using tshark 1.2.15. Version 1.2 is ancient and no longer supported. If I recall correctly, the '-E occurrence' flag was added in either 1.4 or 1.6, but both of those are also end-of-life. I recommend upgrading to at least 1.10 if at all possible. Evan > Thank you. > > Regards, > Rayne > > > > > ________________________________ > From: Sake Blok <sake@xxxxxxxxxx> > To: Rayne <hjazz6@xxxxxxxxx>; Community support list for Wireshark > <wireshark-users@xxxxxxxxxxxxx> > Sent: Monday, January 19, 2015 10:03 PM > Subject: Re: [Wireshark-users] Extracting outer MAC Address > > You can make tshark print only the outer mac-address with : > > tshark -r file.pcap -T fields -E occurrence=f -e eth.src -w output.pcap > > BTW, using -w output.pcap will save the packets in binary form to > output.pcap . If you want to save the list of mac-addresses, you should use: > > tshark -r file.pcap -T fields -E occurrence=f -e eth.src > output.txt > > > From "tshark -h": > > -e <field> field to print if -Tfields selected (e.g. > tcp.port, > _ws.col.Info) > this option can be repeated to print multiple > fields > -E<fieldsoption>=<value> set options for output when -Tfields selected: > header=y|n switch headers on and off > separator=/t|/s|<char> select tab, space, printable character as > separator > occurrence=f|l|a print first, last or all occurrences of each field > aggregator=,|/s|<char> select comma, space, printable character as > aggregator > quote=d|s|n select double, single, no quotes for values > > Cheers, > Sake > > > On 19 jan 2015, at 09:16, Rayne wrote: > >> I realized that the tshark command actually extracts both MAC addresses, >> and because I know what the outer MAC address should look like (OUI), I can >> essentially get the outer MAC address by doing a grep. Thanks for the >> suggestions, Jim and Guy! >> >> From: Jim Young <jyoung@xxxxxxx> >> To: Rayne <hjazz6@xxxxxxxxx>; Community support list for Wireshark >> <wireshark-users@xxxxxxxxxxxxx> >> Sent: Monday, January 19, 2015 3:35 PM >> Subject: Re: [Wireshark-users] Extracting outer MAC Address >> >> Hello Rayne, >> >> >> >> On Monday, January 19, 2015 1:58 AM, Rayne <hjazz6@xxxxxxxxx> wrote: >> >> >I see 2 full Ethernet headers in Wireshark - Ethernet with Source/Dest >> >MAC address, IPv4, EtherIP Version 4, Ethernet with Source/Dest address, >> >802.1Q VLAN, IP. >> > >> >Wireshark can dissect it. >> >> >> Is is possible to attach a small example capture file of what you are >> looking at? One packet should do. >> >> Your description does not sound exactly like like the following, but there >> are encapsulating protocols such as IEEE 802.1ah-2008, Provider Backbone >> Bridge (http://en.wikipedia.org/wiki/IEEE_802.1ah-2008) that do MAC-in-MAC >> style encapsulation. >> >> >> Assuming Wireshark recognizes your packet as something like an IEEE >> 802.1ah packet there might be a protocol specific display filter that >> could get you the "outer" header's source mac value you seek. >> >> Regards, >> >> Jim Y. >> >> >> >> >> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > > > > > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- Re: [Wireshark-users] Extracting outer MAC Address
- From: Rayne
- Re: [Wireshark-users] Extracting outer MAC Address
- From: Rayne
- Re: [Wireshark-users] Extracting outer MAC Address
- Prev by Date: Re: [Wireshark-users] update-ws-profiles / script for changing IP/MAC addresses in preferences
- Next by Date: [Wireshark-users] [HITB-Announce] #HITB2015AMS Call for Papers 1st Round is Closing in 10 Days
- Previous by thread: Re: [Wireshark-users] Extracting outer MAC Address
- Next by thread: Re: [Wireshark-users] Extracting outer MAC Address
- Index(es):