Hey everyone,
I recently got the okay to share with you all some definitions for Wireshark that make it easier to identify Meraki BSSID's when you're taking or viewing captures in it.
To apply them, locate Wireshark's manuf file and paste the following in:
# Meraki BSSID OUI Mappings # Author: Alexander Pierson # Last Updated: February 16, 2018 # 00:18:0A OUI - MR26/MR34/MR32/MR72 02:18:4A:00:00:00/24 Meraki # 2.4GHz 02:18:5A:00:00:00/24 Meraki # 5GHz # 88:15:44 OUI - MR26/MR34/MR32/MR72 8A:15:04:00:00:00/24 Meraki # 2.4GHz 8A:15:14:00:00:00/24 Meraki # 5GHz # E0:55:3D OUI - MR26/MR34/MR32/MR72 E2:55:7D:00:00:00/24 Meraki # 2.4GHz E2:55:6D:00:00:00/24 Meraki # 5GHz # 00:18:0A OUI - MR12/MR16/MR18/MR24/MR62/MR66 00:18:0A:00:00:00/24 Meraki # 2.4GHz SSID 1 02:18:1A:00:00:00/24 Meraki # 5GHz SSID 1 06:18:0A:00:00:00/19 Meraki # SSID 2 (both bands) 0A:18:0A:00:00:00/19 Meraki # SSID 3 (continues in this progression) 0E:18:0A:00:00:00/19 Meraki 12:18:0A:00:00:00/19 Meraki 16:18:0A:00:00:00/19 Meraki 1A:18:0A:00:00:00/19 Meraki 1E:18:0A:00:00:00/19 Meraki 22:18:0A:00:00:00/19 Meraki 26:18:0A:00:00:00/19 Meraki 2A:18:0A:00:00:00/19 Meraki 2E:18:0A:00:00:00/19 Meraki 32:18:0A:00:00:00/19 Meraki 36:18:0A:00:00:00/19 Meraki 3A:18:0A:00:00:00/19 Meraki # SSID 15 # 88:15:44 OUI - MR12/MR16/MR18/MR24/MR62/MR66/MR42/MR52/MR53/MR33/MR30H/MR74/MR84 88:15:44:00:00:00/24 Meraki # 2.4GHz SSID 1 8A:15:54:00:00:00/24 Meraki # 5GHz SSID 1 8E:15:44:00:00:00/19 Meraki # SSID 2 (both bands) 82:15:44:00:00:00/19 Meraki 86:15:44:00:00:00/19 Meraki 9A:15:44:00:00:00/19 Meraki 9E:15:44:00:00:00/19 Meraki 92:15:44:00:00:00/19 Meraki 96:15:44:00:00:00/19 Meraki AA:15:44:00:00:00/19 Meraki AE:15:44:00:00:00/19 Meraki A2:15:44:00:00:00/19 Meraki A6:15:44:00:00:00/19 Meraki BA:15:44:00:00:00/19 Meraki BE:15:44:00:00:00/19 Meraki B2:15:44:00:00:00/19 Meraki # SSID 15 # E0:55:3D OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84 E0:55:2D:00:00:00/24 Meraki # 2.4GHz SSID 1 E2:55:2D:00:00:00/24 Meraki # 5GHz SSID 1 E6:55:2D:00:00:00/19 Meraki # SSID 2 (both bands) EA:55:2D:00:00:00/19 Meraki EE:55:2D:00:00:00/19 Meraki F2:55:2D:00:00:00/19 Meraki F6:55:2D:00:00:00/19 Meraki FA:55:2D:00:00:00/19 Meraki FE:55:2D:00:00:00/19 Meraki C2:55:2D:00:00:00/19 Meraki C6:55:2D:00:00:00/19 Meraki CA:55:2D:00:00:00/19 Meraki CE:55:2D:00:00:00/19 Meraki D2:55:2D:00:00:00/19 Meraki D6:55:2D:00:00:00/19 Meraki DA:55:2D:00:00:00/19 Meraki # SSID 15 # 0C-8D-DB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70 0C:8D:CB:00:00:00/24 Meraki # 2.4GHz SSID 1 0E:8D:CB:00:00:00/24 Meraki # 5GHz SSID 1 0A:8D:CB:00:00:00/19 Meraki # SSID 2 (both bands) 06:8D:CB:00:00:00/19 Meraki 02:8D:CB:00:00:00/19 Meraki 1E:8D:CB:00:00:00/19 Meraki 1A:8D:CB:00:00:00/19 Meraki 16:8D:CB:00:00:00/19 Meraki 12:8D:CB:00:00:00/19 Meraki 2E:8D:CB:00:00:00/19 Meraki 2A:8D:CB:00:00:00/19 Meraki 26:8D:CB:00:00:00/19 Meraki 22:8D:CB:00:00:00/19 Meraki 3E:8D:CB:00:00:00/19 Meraki 3A:8D:CB:00:00:00/19 Meraki 36:8D:CB:00:00:00/19 Meraki # SSID 15 # E0:CB:BC OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70 E0:CB:BC:00:00:00/24 Meraki # 2.4GHz SSID 1 0E:8D:CB:00:00:00/24 Meraki # 5GHz SSID 1 0A:8D:CB:00:00:00/19 Meraki # SSID 2 (both bands) 06:8D:CB:00:00:00/19 Meraki 02:8D:CB:00:00:00/19 Meraki 1E:8D:CB:00:00:00/19 Meraki 1A:8D:CB:00:00:00/19 Meraki 16:8D:CB:00:00:00/19 Meraki 12:8D:CB:00:00:00/19 Meraki 2E:8D:CB:00:00:00/19 Meraki 2A:8D:CB:00:00:00/19 Meraki 26:8D:CB:00:00:00/19 Meraki 22:8D:CB:00:00:00/19 Meraki 3E:8D:CB:00:00:00/19 Meraki 3A:8D:CB:00:00:00/19 Meraki 36:8D:CB:00:00:00/19 Meraki # SSID 15 # End Meraki BSSID Mappings
If you only have specific models in your environment, feel free to pick and choose which sections you include, as they're sorted out by which models use which OUI's
One word of caution though: these have not been tested for collisions with other vendors, so there could be some inadvertent overlaps as a result. I've tried to make the bitmasks as specific as possible, but I'm sure the risk is still there, so be aware of the potential confusion.
Done correctly, you should start seeing Meraki BSSID's showing up like this in Wireshark:
If you have any questions, concerns, or you notice anything wrong, please let me know!
(Edit) Modified the newest OUI to use a Windows-style hardware address for now to avoid it getting turned into an emoticon
This looks great, thank you.
Question when editing -
# 0C:8DSmiley Very HappyB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70 0C:8D:CB:00:00:00/24 Meraki # 2.4GHz SSID 1
should that line read -
# 0C:8D:CB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70 0C:8D:CB:00:00:00/24 Meraki # 2.4GHz SSID 1
or, following the logic of the previous block . . .
should it be -
Previous Block # E0:55:3D OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84 E0:55:2D:00:00:00/24 Meraki # 2.4GHz SSID 1 Block Infected with emoji measles # 0C:8DSmiley Very HappyB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70 0C:8D:CB:00:00:00/24 Meraki # 2.4GHz SSID 1
Should be corrected to -# 0C:8D:CB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70
or to -# 0C:8D:BB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70
Actual value to use per Alex's email below -
# 0C:8D:DB OUI - MR42/MR52/MR53/MR33/MR30H/MR74/MR84/MR20/MR70
(only joking - ;-[]0
make that
0C (colon) 8D (colon) DB
making sure to replace (colon) by : (rather than a part of the anatomy)
@CarolineS - this is really crazy - emojis are fine for twitter, but here - what next unexpected gnomonic projections?
or does it not matter as the line is prefixed by a - # ?
You might find it helps to keep a copy of Notepad++ handy, or Atom if you are on a Mac ;-[])
Thanks for this share!
Nope, the OUI is 0C-8D-DB (to use a format our message board platform won't mangle); it shouldn't matter in either case though, because those lines are just comments - Wireshark doesn't process them at all.
Each of these is calculated rather differently depending on the underlying hardware platform, so the bitmasks are going to vary for each. The way the BSSID MAC's changed per-SSID also varies; on the older platforms, we'd increment the low-order bits rather than the high-order bits like we do on the newer platforms, and as a result, there are a lot more mask patterns I had to come up with for them.
@Uberseehandel - great idea for some “unexpected gnomic projections”! I’ll see what I can come up with. 🧙🏻♂️
I have a note in to our community platform provider about these emojis infecting <pre> blocks. Perhaps they will tell us to drink fluids and get some rest. 😷
I found the setting to turn off emoticons within <pre> blocks! Drum roll...
:D :) :P