Author Profile - My name is Joke (pronounced \yo-kə\ or Joan for those who do not speak Dutch). During the day, I work as a secretary for a non-profit organization providing assisted living for mentally handicapped people in the south of The Netherlands. In my spare time I like to use Wireshark. I find it interesting and necessary to monitor my home network to see what is going on. As a user I like to answer questions at the Wireshark Mailing List.
What is in it for me? Well, I learn a great deal whenever I try to solve real-world problems. I am also a member of the NGN (the Dutch Network User's Group). I write articles about how to use Wireshark and the command line tools. And if there is still some spare time left, I like to go biking in the woods near my hometown with my husband and fellow geek.
Wireshark: Wireless Display and Capture Filters samples
Display filters
You can apply display filters, when you want to look for specific data in capture files.
The packets, that don't match the Display Filter are hidden, but not removed from the capture file.
There are different ways to apply display filters.
A way to use display filters is to start typing in the Filter Input Field in the Filter Toolbar.
You can take advantage of the autocomplete function. When the back-ground of the filterbox turns green the filter string is valid.
Don't forget to hit Apply or Enter to apply the filter.
You can also copy and paste filter strings into the Filter Input Field.
Here are some examples:
- Show only the beacon frames:
wlan.fc.type_subtype == 0x08 - Show everything except the beacon frames:
!wlan.fc.type_subtype == 0x08 - Show only beacon frames and ack frames:
(wlan.fc.type_subtype == 0x08) || (wlan.fc.type_subtype == 0x1d) - Show everything except the beacon and ack frames
(!wlan.fc.type_subtype == 0x08) && (!wlan.fc.type_subtype == 0x1d)
You will find more information in the Wireshark User's Guide and in the Wireshark Wiki.
Continue reading to learn more about capture filters.
Click on image to enlarge
Capture filters
When you use a capture filter only the packets that match the filter are dumped to a file. This will reduce the amount of data to be captured.
Capture filters have a different syntax than display filters.
You enter the capture filters into the Filter field of the Wireshark Capture Options dialog box and hit the Start button.
Here are some examples:
- Capture only beacon frames:
wlan[0] == 0x80 - Capture everything except beacon frames:
wlan[0] != 0x80 - Capture only beacon frames and ack frames:
wlan[0] == 0xd4 - Capture everything except beacon frames and ack frames:
wlan[0] != 0x80 and wlan[0] != 0xd4
Click on image to enlarge
You will find more information in the Wireshark User's Guide and in the Wireshark Wiki.
Save the display and capture filters to file for future use
File dfilters
To save the display filters for future use you can modify the file dfilters.
In Windows XP the file dfilters is located at:
C:\Documents and Settings\<user>\Application Data\Wireshark\dfilters
In Windows 7 or Windows Server 2008 at:
C:\Users\<user>\AppData\Roaming\Wireshark\dfilters
Notes:
- You have to turn on "Show Hidden Files, Folders, and drives" to see the AppData folder:
go to Control Panel\All Control Panel Items -> Folder Options -> View -> Show Hidden Files, Folders, and drives. - If there is no file dfilters at this location, you can copy and paste the file from C:\Program Files\Wireshark\dfilters to C:\Users\<user>\AppData\Roaming\Wireshark\dfilters.
- The file dfilters has no extension.
Open the file dfilters with Notepad.
Copy and paste the following text to dfilters:
"WLAN DISPLAY FILTERS" HEADER
" Beacon Frames" wlan.fc.type_subtype == 0x08
" No Beacon Frames" !wlan.fc.type_subtype == 0x08
" Beacon Frames or Ack's" (wlan.fc.type_subtype == 0x08) || (wlan.fc.type_subtype == 0x1d)
" No Beacon Frames and No Ack" (!wlan.fc.type_subtype == 0x08) && (!wlan.fc.type_subtype == 0x1d)
Make sure to end the file with an empty line, otherwise you won't see the last filter.
File cfilters
Repeat the steps above to modify the file cfilters.
Copy and paste the following text to cfilters:
"WLAN CAPTURE FILTERS" HEADER
" Capture only Ethernet type EAPOL" ether proto 0x888e
" Beacon Frames" wlan[0] == 0x80
" No Beacon Frames" wlan[0] != 0x80
" Probe Requests" wlan[0] == 0x40
" No Probe Requests" wlan[0] != 0x40
" Probe Response" wlan[0] == 0x50
" No Probe Response" wlan[0] != 0x50
" Ack" wlan[0] == 0xd4
" No Ack" wlan[0] != 0xd4
" CF-End" wlan[0] == 0xe4
" No CF-End" wlan[0] != 0xe4
" Clear-to-send" wlan[0] == 0xc4
" No Clear-to-send" wlan[0] != 0xc4
" Beacon Frames - Probe Response/Request - Ack" wlan[0] == 0x80 or wlan[0] == 0x50 or wlan[0] == 0x40 or wlan[0] == 0xd4
" No Beacon Frames - No Probe Response/Request - No Ack" wlan[0] != 0x80 and wlan[0] != 0x50 and wlan[0] != 0x40 and wlan[0] != 0xd4
" Beacon Frames-Probe Resp/Req-Ack-CF-End-Clear-to-send" wlan[0] == 0x80 or wlan[0] == 0x50 or wlan[0] == 0x40 or wlan[0] == 0xd4 or wlan[0] == 0xe4 or wlan[0] == 0xc4
" No Beacon Frames-Probe Resp/Req-Ack-CF-End-Clear-to-send" wlan[0] != 0x80 and wlan[0] != 0x50 and wlan[0] != 0x40 and wlan[0] != 0xd4 and wlan[0] != 0xe4 and wlan[0] != 0xc4
After you have edited the files and restarted Wireshark the new filters show up in the "Display Filters" and "Capture Filters" dialog boxes.
Click on image to enlarge
Tip
It is worth to visit Packet Life.
Here you find a lot of interesting Cheat Sheets.
Recent Comments