从tcpdump只获取源MAC地址 [英] Get only the source MAC address from tcpdump
问题描述
我试图获取每个数据包被丢弃在网络上的源MAC地址,不包括涉及主机的任何数据包。我希望为了实现这一点,我应该从主机的网络接口以混杂模式从tcpdump获取数据。
I am trying to get the source MAC address of every packet being dumped on the network, excluding any packets involving the host machine. I expect that in order to accomplish this I should get the data from tcpdump with the host's network interface in promiscuous mode.
请注意,我不是有兴趣获得完整的标题甚至链接级别标题。 -e 选项不是我想要的。我只想要每个数据包的源MAC地址,仅此而已。
Note that I am not interested in getting the full header or even the link level header. The -e option is not what I want. I just want the source MAC address for each packet, and nothing more.
这就是我现在正在做的事情:
This is what I am currently doing right now:
sudo tcpdump -I -elt -i wlan0 not host 127.0.0.1 2>> /dev/null | sed 's/ .*//'
127.0.0.1 替换为本地网络接口的实际IP地址。
with 127.0.0.1 replaced with the actual IP address of the local network interface.
这在某些网络中效果很好,其中源MAC地址是第一条信息这是由tcpdump输出的。不幸的是,这并不总是我的经历。似乎tcpdump的输出依赖于协议,因此在某些网络上它会有所不同。
This works great in some networks, where the source MAC address is the first piece of information that is output by tcpdump. Unfortunately, this has not always been my experience. It seems that the output to tcpdump is protocol-dependent and so on some networks it varies.
我想我可以重写我的sed命令,以便它输出匹配MAC地址正则表达式的第一项:
I suppose I could rewrite my sed command so that it outputs the first item that matches the regex for a MAC address:
(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}
但我不确定该行中的第一个MAC地址是否始终是源MAC地址。
but I am unsure if the first MAC address in the line will always be the source MAC address.
如果没有办法让tcpdump直接输出源MAC地址,有什么方法可以让它从链路级头输出原始位?从那里我应该能够将源MAC地址拼凑在一起。
If there's no way to have tcpdump output the source MAC address directly, is there some way I could have it output the raw bits from the link level header? From there I should be able to piece together the source MAC address.
推荐答案
通过使用tshark你可以这样做:
by using tshark you can do it like that:
例如:
tshark -i eth0 -e eth.src -Tfields
这篇关于从tcpdump只获取源MAC地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
