You could brute force it with grep and finesse the output as needed: The-Ultimate-PCAP$ tshark -r ./*202002* -2 -R ipv6.dst_sa_mac -Nm -V | grep "Destination SA MAC" | sort | uniq [Destination SA MAC: AmazonTe_05:cd:40 (38:f7:3d:05:cd:40)] [Destination SA MAC: Sonos_a4:21:8c (78:28:ca:a4:21:8c)] [Destination SA MAC: Tp-LinkT_4d:6b:8d (f8:1a:67:4d:6b:8d)] [Destination SA MAC: Tp-LinkT_4d:76:63 (f8:1a:67:4d:76:63)] [Destination SA MAC: AVMAudio_7e:33:a2 (c8:0e:14:7e:33:a2)] [Destination SA MAC: AVM_cc:c2:a9 (bc:05:43:cc:c2:a9)] [Destination SA MAC: Cisco_60:17:c1 (00:25:45:60:17:c1)]
On Fri, Jul 30, 2021 at 7:57 PM Marco Davids (SIDN) via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > Op 30-07-21 om 21:10 schreef João Valverde via Wireshark-dev: > > >> Also, I have not find any aggregate statistics just yet. But > >> nevertheless still happy with this nice feature. > >> > > > > The statistics for SLAAC/OUI don't exist. What I was trying to say is > > that, if we were to add something like that, I think they should go > > somewhere under the IPv6 Statistics menu, not Endpoints. > > Ah okay. Got you. Thanks. > > One final question; I can't seem to do name resolution with thsark on > the mac addresses I derive from IPv6 SLAAC addresses. > > So I can do this: > > tshark -r ~/ipv6.pcap -2 -R 'ipv6.dst_sa_mac' -Tfields -eipv6.dst_sa_mac > > or this: > > tshark -Y 'ipv6.dst_sa_mac' -Tfields -eipv6.dst_sa_mac > > And that results in a nice list of MAC addresses in the output. > > But adding "-o 'nameres.mac_name:TRUE'" or "-Nm" does not help to cause > manufacturer name resolution to happen on these mac addresses. > > It does work for "-e eth.addr_resolved", but obviously this options > concerns other MAC addresses. > > Is what I would like to do at all possible, or is that specific use case > something that tshark currently does not support? > > Thanks. > > -- > Marco > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe