Re: Extracting outer MAC Address

[Rayne <hjazz6 () ymail com>]

Is the "-E occurrence=f" option only available for certain versions of tshark? I just tried it and I got the error 
message:
"occurrence" is not a valid field output option=pair.The available options for field output "E" are:header=y|n    Print 
field abbreviations as first line of output (def: N: no)separator=/t|/s|<character>    Set the separator to ise; "/t" = 
tab, "/s" = space (def: /t: tab)quote=d|s|n    Print either d: double-quotes, s: single-quotes or n: no quotes around 
field values (def: n: none)
I'm using tshark 1.2.15.
Thank you.
Regards,
Rayne


 

     From: Sake Blok <sake () euronet nl>
 To: Rayne <hjazz6 () ymail com>; Community support list for Wireshark <wireshark-users () wireshark org> 
 Sent: Monday, January 19, 2015 10:03 PM
 Subject: Re: [Wireshark-users] Extracting outer MAC Address
   
You can make tshark print only the outer mac-address with :

tshark -r file.pcap -T fields -E occurrence=f -e eth.src -w output.pcap

BTW, using -w output.pcap will save the packets in binary form to output.pcap . If you want to save the list of 
mac-addresses, you should use:

tshark -r file.pcap -T fields -E occurrence=f -e eth.src > output.txt


> From "tshark -h":

  -e <field>              field to print if -Tfields selected (e.g. tcp.port,
                          _ws.col.Info)
                          this option can be repeated to print multiple fields
  -E<fieldsoption>=<value> set options for output when -Tfields selected:
    header=y|n            switch headers on and off
    separator=/t|/s|<char> select tab, space, printable character as separator
    occurrence=f|l|a      print first, last or all occurrences of each field
    aggregator=,|/s|<char> select comma, space, printable character as
                          aggregator
    quote=d|s|n          select double, single, no quotes for values

Cheers,
Sake


On 19 jan 2015, at 09:16, Rayne wrote:

> I realized that the tshark command actually extracts both MAC addresses, and because I know what the outer MAC 
> address should look like (OUI), I can essentially get the outer MAC address by doing a grep. Thanks for the 
> suggestions, Jim and Guy!
>
> From: Jim Young <jyoung () gsu edu>
> To: Rayne <hjazz6 () ymail com>; Community support list for Wireshark <wireshark-users () wireshark org> 
> Sent: Monday, January 19, 2015 3:35 PM
> Subject: Re: [Wireshark-users] Extracting outer MAC Address
>
> Hello Rayne,
>
>
>
> On Monday, January 19, 2015 1:58 AM, Rayne <hjazz6 () ymail com> wrote:
>
> > I see 2 full Ethernet headers in Wireshark - Ethernet with Source/Dest
> > MAC address, IPv4, EtherIP Version 4, Ethernet with Source/Dest address,
> > 802.1Q VLAN, IP.
> >
> > Wireshark can dissect it.
>
>
> Is is possible to attach a small example capture file of what you are
> looking at? One packet should do.
>
> Your description does not sound exactly like like the following, but there
> are encapsulating protocols such as IEEE 802.1ah-2008, Provider Backbone
> Bridge (http://en.wikipedia.org/wiki/IEEE_802.1ah-2008) that do MAC-in-MAC
> style encapsulation.
>
>
> Assuming Wireshark recognizes your packet as something like an IEEE
> 802.1ah packet there might be a protocol specific display filter that
> could get you the "outer" header's source mac value you seek.
>
> Regards,
>
> Jim Y.
>
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org?subject=unsubscribe




   
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe