TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.
TL;DR; using TShark to monitor WiFi traffic and list MAC addresses around you:
$ tshark -a duration:16 -I -i en1 -Tfields -e wlan.sa 2>/dev/null | sort -u
Installing TShark (OSX)
- Download and install Wireshark package from wireshark.org.
- Installer will create various symlinks in
/usr/local/bin.
Monitoring
First, let’s check what kind of interfaces we can use (this is what I get):
$ tshark -D
1. en0 (Ethernet)
2. fw0 (FireWire)
3. bridge0 (Thunderbolt Bridge)
4. en1 (Wi-Fi)
5. p2p0
6. en4 (Thunderbolt 1)
7. lo0 (Loopback)
Basic usage:
$ tshark -i en1
This will keep on printing data to STDOUT. Stop it with ctrl + c. You’ll get even more data if you add -I (capture in monitor mode) parameter:
$ tshark -I -i en1
In monitor mode WiFi icon will change from:
to:
TShark produces huge amounts of data. We can use different output format to make it more readable (-T pdml) and and capture only 10 packets (-c 10):
$ tshark -I -i en1 -T pdml -c 10 > captured.xml
Capturing on 'Wi-Fi'
10
$ cp /Applications/Wireshark.app/Contents/Resources/share/wireshark/pdml2html.xsl .
$ open -a Safari captured.xml
This will open Safari with human readable version of captured.xml:
But we can do much more in the command line, for example scan network for 16 seconds and print all spotted WiFi MAC addresses:
$ tshark -a duration:16 -I -i en1 -Tfields -e wlan.sa 2>/dev/null | sort -u
You can paste them into OUI Lookup Tool to do a reverse lookup of manufactures. List of all available fields listed in the wireshark documentation.
Alternatively you might do it in command line as well:
$ tshark -a duration:16 -I -i en1 -o column.format:'"","%rhs"' 2>/dev/null | sort -u
If you’re curious about additional parameters, here’s the explanation from explainshell.com. You might also like to check: column formats.