如何从捕获的包中获取所有的mac地址？[关闭]

首次安装tshark

sudo apt-get install tshark

现在我们有了读取.cap文件内容的工具

有命令

tshark -r all.cap -i eth0 -nn -e eth.src -Tfields

你会得到这样的输出

00:17:31:91:0c:8c
00:17:31:91:0c:8c
00:17:31:91:0c:8c
00:e0:1e:b4:12:42
00:17:31:91:0c:8c
00:17:31:91:0c:8c
54:a0:50:64:cc:39
00:e0:1e:b4:12:42
54:a0:50:64:cc:39
00:e0:1e:b4:12:42
54:a0:50:64:cc:39
00:e0:1e:b4:12:42
54:a0:50:64:cc:39
00:17:31:91:0c:8c
00:17:31:91:0c:8c
54:a0:50:64:cc:39

或者你可以修改commanad

tshark -r aalmac.pcap -i eth0 -nn -e ip.src -e eth.src -Tfield

并获得输出

xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.205 00:17:31:91:0c:8c
    00:e0:1e:b4:12:42
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.5   54:a0:50:64:cc:39
xxx.xxx.xxx.40  00:e0:1e:b4:12:42
xxx.xxx.xxx.5   54:a0:50:64:cc:39
xxx.xxx.xxx.247 00:e0:1e:b4:12:42
xxx.xxx.xxx.5   54:a0:50:64:cc:39
xxx.xxx.xxx.189 00:e0:1e:b4:12:42
xxx.xxx.xxx.5   54:a0:50:64:cc:39
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.5   54:a0:50:64:cc:39
xxx.xxx.xxx.143 00:e0:1e:b4:12:42
xxx.xxx.xxx.5   54:a0:50:64:cc:39
xxx.xxx.xxx.143 00:e0:1e:b4:12:42
xxx.xxx.xxx.5   54:a0:50:64:cc:39
xxx.xxx.xxx.155 00:e0:1e:b4:12:42
xxx.xxx.xxx.5   54:a0:50:64:cc:39
    00:e0:1e:b4:12:42
xxx.xxx.xxx.154 00:e0:1e:b4:12:42
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.5   54:a0:50:64:cc:39

您可以看到在某些 ip 上我有两个或多个 mac 地址。这意味着 ip 来自路由器上的同一个端口。

接下来你可以修改命令看起来像这样

 tshark -r all.cap -i eth0 -nn -e eth.src -Tfields | sort | uniq

并且您将获得排序且唯一的 mac <-> ip 对

xxx.xxx.xxx.154 00:e0:1e:b4:12:42
xxx.xxx.xxx.69  00:e0:1e:b4:12:42
xxx.xxx.xxx.69  00:e0:1e:b4:12:42
xxx.xxx.xxx.143 00:e0:1e:b4:12:42
xxx.xxx.xxx.155 00:e0:1e:b4:12:42
xxx.xxx.xxx.23  00:e0:1e:b4:12:42
xxx.xxx.xxx.13  00:e0:1e:b4:12:42
xxx.xxx.xxx.247 00:e0:1e:b4:12:42
xxx.xxx.xxx.77  00:e0:1e:b4:12:42
xxx.xxx.xxx.138 00:e0:1e:b4:12:42
xxx.xxx.xxx.18  00:1e:8c:a8:3a:9b
xxx.xxx.xxx.205 00:17:31:91:0c:8c

...