From: Joshua Blanton (jblanton@masaka.cs.ohiou.edu)
Date: 02/22/06
Date: Wed, 22 Feb 2006 21:07:28 -0500 From: Joshua Blanton <jblanton@masaka.cs.ohiou.edu> Subject: tcptrace Re: Displaying MAC address Message-ID: <20060223020727.GJ18694@mauser.ipx.ath.cx>
Leslie Choong wrote:
> Hi there, I am currently using tcptrace to identify flows within a
> large wireless network. In order to do this I also need to lookup the
> MAC address associated with each IP address that is contained within
> the tcpdump packet files I am processing. I have looked through the
> documentation and have not found any suitable tcptrace commands (the
> -l long list does not display it either) to achieve this. So at the
> moment I am using tcpdump to do the lookup for each IP -> MAC address
> mapping which is very inefficient. I was wondering whether tcptrace
> does support the extraction of MAC addresses and if so how. If
> tcptrace does not support this feature are there any other programs
> you users are aware of that have a similar function to tcptrace but
> also allows MAC address lookup.
For the record, you cannot post to the tcptrace list without begin
subscribed; fortunately, I'm the bounce target, and I noticed that
your email wasn't spam before deleting it :-) Hopefully if
someone else knows a good solution they can speak up.
That said, I don't really understand what you're wanting to do -
what do you want to do with the MAC addresses? Do you simply want
to print out the MAC addresses of each connection along with the IP
and port pairs in the tcptrace *output*, or do you want to change
tcptrace's behavior based on MAC addresses?
> As a last choice possibility, I have considered modifying the tcptrace
> source to fit this need. If none of the other options are possible
> then where should I begin looking if I wanted to add this feature into
> tcptrace? Thank you very much.
You would start by looking at the file that parses the input of the
file format that you're using (from the sound of things, the pcap
parser file, tcpdump.c). From there, you would have to make the
parser record MAC addresses... tcptrace does not record MAC
addresses because they aren't even guaranteed to exist in all link
types, and it would be a pain to handle all possibilities (that's
the first reason that popped into my head - I'm sure there are a
myriad more).
Chances are good that tcptrace, by itself, is not a reasonable
solution to your problem. It's possible that you could modify it to
suit your needs; however, I think that this may be a large
undertaking. Since it doesn't keep any state about the link layer,
if you're wanting to know where flows are traversing on the interior
of a network you'll need to add some non-trivial functionality.
--jtb
----------------------------------------------------------------------------
To unsubscribe, send a message with body containing "unsubscribe tcptrace" to
majordomo@tcptrace.org.
This archive was generated by hypermail 2.1.7 : 02/23/06 EST