Monday, April 18, 2011

Reading Wireshark

Goal: find how Wireshark gets the MAC address on Windows and MacOS

To reach the goal:
1. finish reading Wireshark docs, see notes below
2. read victor email, see this post
3. read grep of "mac address" in doc. It was useless
4. read grep of "mac address" from wireshark root
5. email wireshark dev
6. How to get Linux MAC address? look in ether_shell

At first, I grep-ed for "MAC address" in the entire Wireshark directory with grep -ir "mac address" . > hq_macaddsearch.txt. It took way to long to complete so I stopped it. Then I looked that it already had over 150,000 lines where the bottom is filled with "hq_macaddsearch.txt" ... oh I made the infinite loop mistake again, should have saved it to ../hq_macaddsearch.txt :/

I grep-ed for "Mac address" in the entire Wireshark directory with grep -ir "mac address" . and found over 500 entries. I would go back to it after reading the docs to understand which entries are important.

Reading Wireshark docs:
  • The overview of the Wireshark
    • Dumpcap needs elevated privileges to do the capturing. It has code customized for each OS. It talks with WinPcap or libpcap, platform-dependent packet capture libraries to capture from different types of interfaces.
  • In the different dissectors in epan/dissectors decodes a layer of the protocol before handing it to the next level of dissector.
  • Wireshark is based on the GTK toolkit for the UI.
  • Not very helpful in trying to find MAC addresses
epan = Ethereal Packet ANalyzer
ett = Ethereal Tree Type
hf = header field
gchar* = pointer to character string
guint8 = 1-byte value
guint16 = 2-byte value
tvb = Testy Virtual Buffer

Reading Wireshark & Ethereal Network Protocol Analyzer Toolkit

  • every NIC (Network Interface Card) has a unique MAC Address
  • MAC adress is a 48-bit number, aka 12-digit hexadecimal number. The first half identifies the manufacturer of the Ethernet card, last 24 bits is a serial number assigned. e.g.:12:34:56:78:9a:bc
  • View MAC Address on different operating systems:
    • Windows XP: command line type ipconfig /all, under Physical Address
    • Linux: command line type ifconfig -a, listed as "HWaddr". "lo" doesn't have a MAC address, because it's a loop back address only. On other computersarp -a might be useful too
    • MacOS: command line type ifconfig -a, listed as "Ether" label.
Posted by HaoQi Li at 4/18/2011 06:50:00 PM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)