Some enhancements to Wireshark for easier troubleshooting

AlexP
Meraki Employee
Meraki Employee

Some enhancements to Wireshark for easier troubleshooting

Hey everyone,

 

I recently got the okay to share with you all some definitions for Wireshark that make it easier to identify Meraki BSSID's when you're taking or viewing captures in it.

 

To apply them, locate Wireshark's manuf file and paste the following in:

 

# Meraki BSSID OUI Mappings
# Author: Alexander Pierson
# Last Updated: February 16, 2018

# 00:18:0A OUI - MR26/MR34/MR32/MR72

02:18:4A:00:00:00/24 Meraki # 2.4GHz
02:18:5A:00:00:00/24 Meraki # 5GHz

# 88:15:44 OUI - MR26/MR34/MR32/MR72

8A:15:04:00:00:00/24 Meraki # 2.4GHz
8A:15:14:00:00:00/24  Meraki # 5GHz

# E0:55:3D OUI - MR26/MR34/MR32/MR72

E2:55:7D:00:00:00/24 Meraki # 2.4GHz
E2:55:6D:00:00:00/24 Meraki # 5GHz

# 00:18:0A OUI - MR12/MR16/MR18/MR24/MR62/MR66

00:18:0A:00:00:00/24  Meraki # 2.4GHz SSID 1
02:18:1A:00:00:00/24  Meraki # 5GHz SSID 1
06:18:0A:00:00:00/19  Meraki # SSID 2 (both bands)
0A:18:0A:00:00:00/19  Meraki # SSID 3 (continues in this progression)
0E:18:0A:00:00:00/19  Meraki
12:18:0A:00:00:00/19  Meraki
16:18:0A:00:00:00/19  Meraki
1A:18:0A:00:00:00/19  Meraki
1E:18:0A:00:00:00/19  Meraki
22:18:0A:00:00:00/19  Meraki
26:18:0A:00:00:00/19  Meraki
2A:18:0A:00:00:00/19  Meraki
2E:18:0A:00:00:00/19  Meraki
32:18:0A:00:00:00/19  Meraki
36:18:0A:00:00:00/19  Meraki
3A:18:0A:00:00:00/19  Meraki # SSID 15

# 88:15:44 OUI - MR12/MR16/MR18/MR24/MR62/MR66/MR42/MR52/MR53/MR33/MR30H/MR74/MR84

88:15:44:00:00:00/24            Meraki # 2.4GHz SSID 1
8A:15:54:00:00:00/24            Meraki # 5GHz SSID 1
8E:15:44:00:00:00/19            Meraki # SSID 2 (both bands)
82:15:44:00:00:00/19            Meraki
86:15:44:00:00:00/19            Meraki
9A:15:44:00:00:00/19            Meraki
9E:15:44:00:00:00/19            Meraki
92:15:44:00:00:00/19            Meraki
96:15:44:00:00:00/19            Meraki
AA:15:44:00:00:00/19            Meraki
AE:15:44:00:00:00/19            Meraki
A2:15:44:00:00:00/19            Meraki
A6:15:44:00:00:00/19            Meraki
BA:15:44:00:00:00/19            Meraki
BE:15:44:00:00:00/19            Meraki
B2:15:44:00:00:00/19            Meraki # SSID 15

# E0:55:3D OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84

E0:55:2D:00:00:00/24            Meraki # 2.4GHz SSID 1
E2:55:2D:00:00:00/24            Meraki # 5GHz SSID 1
E6:55:2D:00:00:00/19            Meraki # SSID 2 (both bands)
EA:55:2D:00:00:00/19            Meraki
EE:55:2D:00:00:00/19            Meraki
F2:55:2D:00:00:00/19            Meraki
F6:55:2D:00:00:00/19            Meraki
FA:55:2D:00:00:00/19            Meraki
FE:55:2D:00:00:00/19            Meraki
C2:55:2D:00:00:00/19            Meraki
C6:55:2D:00:00:00/19            Meraki
CA:55:2D:00:00:00/19            Meraki
CE:55:2D:00:00:00/19            Meraki
D2:55:2D:00:00:00/19            Meraki
D6:55:2D:00:00:00/19            Meraki
DA:55:2D:00:00:00/19            Meraki # SSID 15

# 0C-8D-DB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70

0C:8D:CB:00:00:00/24            Meraki # 2.4GHz SSID 1
0E:8D:CB:00:00:00/24            Meraki # 5GHz SSID 1
0A:8D:CB:00:00:00/19            Meraki # SSID 2 (both bands)
06:8D:CB:00:00:00/19            Meraki
02:8D:CB:00:00:00/19            Meraki
1E:8D:CB:00:00:00/19            Meraki
1A:8D:CB:00:00:00/19            Meraki
16:8D:CB:00:00:00/19            Meraki
12:8D:CB:00:00:00/19            Meraki
2E:8D:CB:00:00:00/19            Meraki
2A:8D:CB:00:00:00/19            Meraki
26:8D:CB:00:00:00/19            Meraki
22:8D:CB:00:00:00/19            Meraki
3E:8D:CB:00:00:00/19            Meraki
3A:8D:CB:00:00:00/19            Meraki
36:8D:CB:00:00:00/19            Meraki # SSID 15

# E0:CB:BC OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70

E0:CB:BC:00:00:00/24            Meraki # 2.4GHz SSID 1
0E:8D:CB:00:00:00/24            Meraki # 5GHz SSID 1
0A:8D:CB:00:00:00/19            Meraki # SSID 2 (both bands)
06:8D:CB:00:00:00/19            Meraki
02:8D:CB:00:00:00/19            Meraki
1E:8D:CB:00:00:00/19            Meraki
1A:8D:CB:00:00:00/19            Meraki
16:8D:CB:00:00:00/19            Meraki
12:8D:CB:00:00:00/19            Meraki
2E:8D:CB:00:00:00/19            Meraki
2A:8D:CB:00:00:00/19            Meraki
26:8D:CB:00:00:00/19            Meraki
22:8D:CB:00:00:00/19            Meraki
3E:8D:CB:00:00:00/19            Meraki
3A:8D:CB:00:00:00/19            Meraki
36:8D:CB:00:00:00/19            Meraki # SSID 15

# End Meraki BSSID Mappings

If you only have specific models in your environment, feel free to pick and choose which sections you include, as they're sorted out by which models use which OUI's

 

One word of caution though: these have not been tested for collisions with other vendors, so there could be some inadvertent overlaps as a result. I've tried to make the bitmasks as specific as possible, but I'm sure the risk is still there, so be aware of the potential confusion.

 

Done correctly, you should start seeing Meraki BSSID's showing up like this in Wireshark:

 

bssid.png

 

If you have any questions, concerns, or you notice anything wrong, please let me know!

(Edit) Modified the newest OUI to use a Windows-style hardware address for now to avoid it getting turned into an emoticon

5 REPLIES 5
Uberseehandel
Kind of a big deal

This looks great, thank you.

 

Question when editing - 

# 0C:8DSmiley Very HappyB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70

0C:8D:CB:00:00:00/24            Meraki # 2.4GHz SSID 1

should that line read - 

# 0C:8D:CB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70

0C:8D:CB:00:00:00/24            Meraki # 2.4GHz SSID 1

or, following the logic of the previous block . . .

should it be -

Previous Block
# E0:55:3D OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84

E0:55:2D:00:00:00/24            Meraki # 2.4GHz SSID 1

Block Infected with emoji measles
# 0C:8DSmiley Very HappyB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70

0C:8D:CB:00:00:00/24            Meraki # 2.4GHz SSID 1

Should be corrected to -
# 0C:8D:CB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70

or to -
# 0C:8D:BB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70

Actual value to use per Alex's email below -
# 0C:8D:DB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70
(only joking - ;-[]0
make that
0C (colon) 8D (colon) DB

making sure to replace (colon) by : (rather than a part of the anatomy)

@CarolineS - this is really crazy - emojis are fine for twitter, but here - what next unexpected gnomonic projections?


or does it not matter as the line is prefixed by a -  #    ?

You might find it helps to keep a copy of Notepad++ handy, or Atom if you are on a Mac ;-[])

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Thanks for this share!

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Nope, the OUI is 0C-8D-DB (to use a format our message board platform won't mangle); it shouldn't matter in either case though, because those lines are just comments - Wireshark doesn't process them at all.

 

Each of these is calculated rather differently depending on the underlying hardware platform, so the bitmasks are going to vary for each. The way the BSSID MAC's changed per-SSID also varies; on the older platforms, we'd increment the low-order bits rather than the high-order bits like we do on the newer platforms, and as a result, there are a lot more mask patterns I had to come up with for them.

@Uberseehandel - great idea for some “unexpected gnomic projections”! I’ll see what I can come up with. 🧙🏻‍♂️

 

I have a note in to our community platform provider about these emojis infecting <pre> blocks. Perhaps they will tell us to drink fluids and get some rest. 😷

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here

I found the setting to turn off emoticons within <pre> blocks! Drum roll...

 

:D :) :P

 

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels