tcpdump -i any -w all.cap
现在如何从捕获的包中获取所有 mac 地址?
同一个 mac 地址。
答案1
首次安装tshark
sudo apt-get install tshark
现在我们有了读取.cap
文件内容的工具
使用命令
tshark -r all.cap -i eth0 -nn -e eth.src -Tfields
你会得到类似这样的输出
00:17:31:91:0c:8c
00:17:31:91:0c:8c
00:17:31:91:0c:8c
00:e0:1e:b4:12:42
00:17:31:91:0c:8c
00:17:31:91:0c:8c
54:a0:50:64:cc:39
00:e0:1e:b4:12:42
54:a0:50:64:cc:39
00:e0:1e:b4:12:42
54:a0:50:64:cc:39
00:e0:1e:b4:12:42
54:a0:50:64:cc:39
00:17:31:91:0c:8c
00:17:31:91:0c:8c
54:a0:50:64:cc:39
或者你可以修改命令
tshark -r aalmac.pcap -i eth0 -nn -e ip.src -e eth.src -Tfield
并得到输出
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.205 00:17:31:91:0c:8c
00:e0:1e:b4:12:42
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.5 54:a0:50:64:cc:39
xxx.xxx.xxx.40 00:e0:1e:b4:12:42
xxx.xxx.xxx.5 54:a0:50:64:cc:39
xxx.xxx.xxx.247 00:e0:1e:b4:12:42
xxx.xxx.xxx.5 54:a0:50:64:cc:39
xxx.xxx.xxx.189 00:e0:1e:b4:12:42
xxx.xxx.xxx.5 54:a0:50:64:cc:39
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.5 54:a0:50:64:cc:39
xxx.xxx.xxx.143 00:e0:1e:b4:12:42
xxx.xxx.xxx.5 54:a0:50:64:cc:39
xxx.xxx.xxx.143 00:e0:1e:b4:12:42
xxx.xxx.xxx.5 54:a0:50:64:cc:39
xxx.xxx.xxx.155 00:e0:1e:b4:12:42
xxx.xxx.xxx.5 54:a0:50:64:cc:39
00:e0:1e:b4:12:42
xxx.xxx.xxx.154 00:e0:1e:b4:12:42
xxx.xxx.xxx.205 00:17:31:91:0c:8c
xxx.xxx.xxx.5 54:a0:50:64:cc:39
您可以看到,某些 IP 上有两个或多个 MAC 地址。这意味着 IP 来自路由器上的同一端口。
接下来你可以修改命令使其看起来像这样
tshark -r all.cap -i eth0 -nn -e eth.src -Tfields | sort | uniq
您将获得排序且唯一的 mac <-> ip 对
xxx.xxx.xxx.154 00:e0:1e:b4:12:42
xxx.xxx.xxx.69 00:e0:1e:b4:12:42
xxx.xxx.xxx.69 00:e0:1e:b4:12:42
xxx.xxx.xxx.143 00:e0:1e:b4:12:42
xxx.xxx.xxx.155 00:e0:1e:b4:12:42
xxx.xxx.xxx.23 00:e0:1e:b4:12:42
xxx.xxx.xxx.13 00:e0:1e:b4:12:42
xxx.xxx.xxx.247 00:e0:1e:b4:12:42
xxx.xxx.xxx.77 00:e0:1e:b4:12:42
xxx.xxx.xxx.138 00:e0:1e:b4:12:42
xxx.xxx.xxx.18 00:1e:8c:a8:3a:9b
xxx.xxx.xxx.205 00:17:31:91:0c:8c
...