Wireshark mailing list archives

Re: Extracting outer MAC Address

From: Evan Huus <eapache () gmail com>
Date: Tue, 20 Jan 2015 08:49:21 -0500

On Tue, Jan 20, 2015 at 12:25 AM, Rayne <hjazz6 () ymail com> wrote:


Is the "-E occurrence=f" option only available for certain versions of
tshark? I just tried it and I got the error message:

"occurrence" is not a valid field output option=pair.
The available options for field output "E" are:
header=y|n    Print field abbreviations as first line of output (def: N: no)
separator=/t|/s|<character>    Set the separator to ise; "/t" = tab, "/s" =
space (def: /t: tab)
quote=d|s|n    Print either d: double-quotes, s: single-quotes or n: no
quotes around field values (def: n: none)

I'm using tshark 1.2.15.


Version 1.2 is ancient and no longer supported. If I recall correctly,
the '-E occurrence' flag was added in either 1.4 or 1.6, but both of
those are also end-of-life. I recommend upgrading to at least 1.10 if
at all possible.

Evan

Thank you.

Regards,
Rayne




________________________________
From: Sake Blok <sake () euronet nl>
To: Rayne <hjazz6 () ymail com>; Community support list for Wireshark
<wireshark-users () wireshark org>
Sent: Monday, January 19, 2015 10:03 PM
Subject: Re: [Wireshark-users] Extracting outer MAC Address

You can make tshark print only the outer mac-address with :

tshark -r file.pcap -T fields -E occurrence=f -e eth.src -w output.pcap

BTW, using -w output.pcap will save the packets in binary form to
output.pcap . If you want to save the list of mac-addresses, you should use:

tshark -r file.pcap -T fields -E occurrence=f -e eth.src > output.txt


From "tshark -h":

  -e <field>              field to print if -Tfields selected (e.g.
tcp.port,
                          _ws.col.Info)
                          this option can be repeated to print multiple
fields
  -E<fieldsoption>=<value> set options for output when -Tfields selected:
    header=y|n            switch headers on and off
    separator=/t|/s|<char> select tab, space, printable character as
separator
    occurrence=f|l|a      print first, last or all occurrences of each field
    aggregator=,|/s|<char> select comma, space, printable character as
                          aggregator
    quote=d|s|n          select double, single, no quotes for values

Cheers,
Sake


On 19 jan 2015, at 09:16, Rayne wrote:

I realized that the tshark command actually extracts both MAC addresses,
and because I know what the outer MAC address should look like (OUI), I can
essentially get the outer MAC address by doing a grep. Thanks for the
suggestions, Jim and Guy!

From: Jim Young <jyoung () gsu edu>
To: Rayne <hjazz6 () ymail com>; Community support list for Wireshark
<wireshark-users () wireshark org>
Sent: Monday, January 19, 2015 3:35 PM
Subject: Re: [Wireshark-users] Extracting outer MAC Address

Hello Rayne,

On Monday, January 19, 2015 1:58 AM, Rayne <hjazz6 () ymail com> wrote:

I see 2 full Ethernet headers in Wireshark - Ethernet with Source/Dest
MAC address, IPv4, EtherIP Version 4, Ethernet with Source/Dest address,
802.1Q VLAN, IP.

Wireshark can dissect it.



Is is possible to attach a small example capture file of what you are
looking at? One packet should do.

Your description does not sound exactly like like the following, but there
are encapsulating protocols such as IEEE 802.1ah-2008, Provider Backbone
Bridge (http://en.wikipedia.org/wiki/IEEE_802.1ah-2008) that do MAC-in-MAC
style encapsulation.


Assuming Wireshark recognizes your packet as something like an IEEE
802.1ah packet there might be a protocol specific display filter that
could get you the "outer" header's source mac value you seek.

Regards,

Jim Y.






___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe







___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Extracting outer MAC Address Rayne (Jan 18)
- Re: Extracting outer MAC Address Guy Harris (Jan 18)
  - Re: Extracting outer MAC Address Rayne (Jan 18)
    - Re: Extracting outer MAC Address Jim Young (Jan 18)
    - Re: Extracting outer MAC Address Rayne (Jan 19)
    - Re: Extracting outer MAC Address Sake Blok (Jan 19)
    - Re: Extracting outer MAC Address Rayne (Jan 19)
    - Re: Extracting outer MAC Address Rayne (Jan 19)
    - Re: Extracting outer MAC Address Evan Huus (Jan 20)
    - Re: Extracting outer MAC Address Sake Blok (Jan 19)