Get only the source MAC address from tcpdump

2019-08-09 23:45发布

问题:

I am trying to get the source MAC address of every packet being dumped on the network, excluding any packets involving the host machine. I expect that in order to accomplish this I should get the data from tcpdump with the host's network interface in promiscuous mode.

Note that I am not interested in getting the full header or even the link level header. The -e option is not what I want. I just want the source MAC address for each packet, and nothing more.

This is what I am currently doing right now:

sudo tcpdump -I -elt -i wlan0 not host 127.0.0.1 2>> /dev/null | sed 's/ .*//'

with 127.0.0.1 replaced with the actual IP address of the local network interface.

This works great in some networks, where the source MAC address is the first piece of information that is output by tcpdump. Unfortunately, this has not always been my experience. It seems that the output to tcpdump is protocol-dependent and so on some networks it varies.

I suppose I could rewrite my sed command so that it outputs the first item that matches the regex for a MAC address:

(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}

but I am unsure if the first MAC address in the line will always be the source MAC address.

If there's no way to have tcpdump output the source MAC address directly, is there some way I could have it output the raw bits from the link level header? From there I should be able to piece together the source MAC address.

回答1:

by using tshark you can do it like that:

example:

tshark -i eth0 -e eth.src -Tfields