I realized that the tshark command actually extracts both MAC addresses, and because I know what the outer MAC address should look like (OUI), I can essentially get the outer MAC address by doing a grep. Thanks for the suggestions, Jim and Guy!
From: Jim Young <jyoung@xxxxxxx>
To: Rayne <hjazz6@xxxxxxxxx>; Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Monday, January 19, 2015 3:35 PM
Subject: Re: [Wireshark-users] Extracting outer MAC Address
Hello Rayne,
On Monday, January 19, 2015 1:58 AM, Rayne <
hjazz6@xxxxxxxxx> wrote:
>I see 2 full Ethernet headers in Wireshark - Ethernet with Source/Dest
>MAC address, IPv4, EtherIP Version 4, Ethernet with Source/Dest address,
>802.1Q VLAN, IP.
>
>Wireshark can dissect it.
Is is possible to attach a small example capture file of what you are
looking at? One packet should do.
Your description does not sound exactly like like the following, but there
are encapsulating protocols such as IEEE 802.1ah-2008, Provider Backbone
Bridge (
http://en.wikipedia.org/wiki/IEEE_802.1ah-2008) that do MAC-in-MAC
style encapsulation.
Assuming Wireshark recognizes your packet as something like an IEEE
802.1ah packet there might be a protocol specific display filter that
could get you the "outer" header's source mac value you seek.
Regards,
Jim Y.
