From: Brent Draney (brdraney@nersc.gov)
Date: 02/22/06
Message-Id: <200602230352.k1N3q3FZ009911@exit.nersc.gov> Subject: Re: tcptrace Re: Displaying MAC address Date: Wed, 22 Feb 2006 19:52:03 -0800 From: Brent Draney <brdraney@nersc.gov>
I believe that Arpwatch is what you are looking for.
Man page located at:
http://linuxcommand.org/man_pages/arpwatch8.html
-- Brent
>
> Leslie Choong wrote:
> > Hi there, I am currently using tcptrace to identify flows within a
> > large wireless network. In order to do this I also need to lookup the
> > MAC address associated with each IP address that is contained within
> > the tcpdump packet files I am processing. I have looked through the
> > documentation and have not found any suitable tcptrace commands (the
> > -l long list does not display it either) to achieve this. So at the
> > moment I am using tcpdump to do the lookup for each IP -> MAC address
> > mapping which is very inefficient. I was wondering whether tcptrace
> > does support the extraction of MAC addresses and if so how. If
> > tcptrace does not support this feature are there any other programs
> > you users are aware of that have a similar function to tcptrace but
> > also allows MAC address lookup.
>
> For the record, you cannot post to the tcptrace list without begin
> subscribed; fortunately, I'm the bounce target, and I noticed that
> your email wasn't spam before deleting it :-) Hopefully if
> someone else knows a good solution they can speak up.
>
> That said, I don't really understand what you're wanting to do -
> what do you want to do with the MAC addresses? Do you simply want
> to print out the MAC addresses of each connection along with the IP
> and port pairs in the tcptrace *output*, or do you want to change
> tcptrace's behavior based on MAC addresses?
>
> > As a last choice possibility, I have considered modifying the tcptrace
> > source to fit this need. If none of the other options are possible
> > then where should I begin looking if I wanted to add this feature into
> > tcptrace? Thank you very much.
>
> You would start by looking at the file that parses the input of the
> file format that you're using (from the sound of things, the pcap
> parser file, tcpdump.c). From there, you would have to make the
> parser record MAC addresses... tcptrace does not record MAC
> addresses because they aren't even guaranteed to exist in all link
> types, and it would be a pain to handle all possibilities (that's
> the first reason that popped into my head - I'm sure there are a
> myriad more).
>
> Chances are good that tcptrace, by itself, is not a reasonable
> solution to your problem. It's possible that you could modify it to
> suit your needs; however, I think that this may be a large
> undertaking. Since it doesn't keep any state about the link layer,
> if you're wanting to know where flows are traversing on the interior
> of a network you'll need to add some non-trivial functionality.
>
> --jtb
----------------------------------------------------------------------------
To unsubscribe, send a message with body containing "unsubscribe tcptrace" to
majordomo@tcptrace.org.
This archive was generated by hypermail 2.1.7 : 02/23/06 EST