You could brute force it with grep and finesse the output as needed:
The-Ultimate-PCAP$ tshark -r ./*202002* -2 -R ipv6.dst_sa_mac -Nm -V | grep "Destination SA MAC" | sort | uniq
[Destination SA MAC: AmazonTe_05:cd:40 (38:f7:3d:05:cd:40)]
[Destination SA MAC: Sonos_a4:21:8c (78:28:ca:a4:21:8c)]
[Destination SA MAC: Tp-LinkT_4d:6b:8d (f8:1a:67:4d:6b:8d)]
[Destination SA MAC: Tp-LinkT_4d:76:63 (f8:1a:67:4d:76:63)]
[Destination SA MAC: AVMAudio_7e:33:a2 (c8:0e:14:7e:33:a2)]
[Destination SA MAC: AVM_cc:c2:a9 (bc:05:43:cc:c2:a9)]
[Destination SA MAC: Cisco_60:17:c1 (00:25:45:60:17:c1)]
Op 30-07-21 om 21:10 schreef João Valverde via Wireshark-dev:
>> Also, I have not find any aggregate statistics just yet. But
>> nevertheless still happy with this nice feature.
>>
>
> The statistics for SLAAC/OUI don't exist. What I was trying to say is
> that, if we were to add something like that, I think they should go
> somewhere under the IPv6 Statistics menu, not Endpoints.
Ah okay. Got you. Thanks.
One final question; I can't seem to do name resolution with thsark on
the mac addresses I derive from IPv6 SLAAC addresses.
So I can do this:
tshark -r ~/ipv6.pcap -2 -R 'ipv6.dst_sa_mac' -Tfields -eipv6.dst_sa_mac
or this:
tshark -Y 'ipv6.dst_sa_mac' -Tfields -eipv6.dst_sa_mac
And that results in a nice list of MAC addresses in the output.
But adding "-o 'nameres.mac_name:TRUE'" or "-Nm" does not help to cause
manufacturer name resolution to happen on these mac addresses.
It does work for "-e eth.addr_resolved", but obviously this options
concerns other MAC addresses.
Is what I would like to do at all possible, or is that specific use case
something that tshark currently does not support?
Thanks.
--
Marco
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
