ICMP Destination Unreachable (by Tony Fortunato)
Today’s Network Data Access Technology - a Review (by Tim O'Neill)

Wireshark: Wireless Display and Capture Filters Samples part 2 (by Joke Snelders)

Joke_snelders Author Profile - My name is Joke (pronounced \yo-kə\ or Joan for those who do not speak Dutch). During the day, I work as a secretary for a non-profit organization providing assisted living for mentally handicapped people in the south of The Netherlands. In my spare time I like to use Wireshark. I find it interesting and necessary to monitor my home network to see what is going on. As a user I like to answer questions at the Wireshark Mailing List.

What is in it for me? Well, I learn a great deal whenever I try to solve real-world problems. I am also a member of the NGN (the Dutch Network User's Group). I write articles about how to use Wireshark and the command line tools. And if there is still some spare time left, I like to go biking in the woods near my hometown with my husband and fellow geek.


Wireshark: Wireless Display and Capture Filters Samples

In addition to the article I wrote in Februari 2010 I have some more useful wireless display and capture filters I like to share with you.

Display filters
In the Wireshark Display Filter Reference you will find an overview of the field names.
On the website Will Hack For Sushi you can find a cheat sheet, the 802.11 Pocket Reference Guide, with the type codes you can use in combination with wlan.fc.type and wlan.fc.type_subtype.

You can download the 802.11 Pocket Reference Guide here.

Here are some examples of the Display Filter Fields and next you will learn how to use them as a display filter:

Frame type Filter
Management frames wlan.fc.type eq 0
Control frames wlan.fc.type eq 1
Data frames wlan.fc.type eq 2

Frame subtype Filter
Association request wlan.fc.type_subtype eq 0
Association response wlan.fc.type_subtype eq 1
Probe request wlan.fc.type_subtype eq 4
Probe response wlan.fc.type_subtype eq 5
Beacon wlan.fc.type_subtype eq 8
Authentication wlan.fc.type_subtype eq 11
Deauthentication wlan.fc.type_subtype eq 12

Display Filters
  • Show beacons:
    wlan.fc.type_subtype eq 8
  • Show everything except the beacons:
    not wlan.fc.type_subtype eq 8
  • Show probe requests or probe responses:
    wlan.fc.type_subtype eq 4 or wlan.fc.type_subtype eq 5
  • Show everything except the beacons, probe requests or probe responses:
    not wlan.fc.type_subtype eq 4 and not wlan.fc.type_subtype eq 5 and not wlan.fc.type_subtype eq 8


Continue reading to learn more about capture filters.

87915.strip


Capture filters
You can use a wlan type or a wlan subtype as a capture filter.
Let me give you some capture filter samples.

WLAN type
Valid wlan types are mgt, ctl and data.

Capture filter examples
  • Capture only management frames:
    type mgt
  • Capture everything except control frames:
    not type ctl
  • Capture data frames to/from mac address 04:1e:64:ea:c3:ef
    wlan host 04:1e:64:ea:c3:ef and type data

WLAN subtype
Management frames
Valid subtypes are:
assocreq,  assocresp,  reassocreq,  reassocresp,  probereq, probresp, beacon, atim, disassoc, auth and deauth

Control frames
Valid subtypes are:
ps-poll, rts, cts, ack, cf-end and cf-end-ack

Data frames
Valid subtypes are:
data,  data-cf-ack,  data-cf-poll, data-cf-ack-poll, null, cf-ack, cf-poll, cf-ack-poll,  qos-data,  qos-data-cf-ack,  qos-data-cf-poll, qos-data-cf-ack-poll, qos, qos-cf-poll and qos-cf-ack-poll

Capture filters examples
  • Capture only beacons:
    subtype beacon
  • Capture everything except beacons:
    not subtype beacon
  • Capture beacons, probe requests and probe responses:
    subtype beacon or subtype probereq or subtype proberesp
  • Capture all frames except beacons, probe requests and probe responses:
    not subtype beacon and not subtype probereq and not subtype proberesp
  • Capture beacons, probe requests and probe responses to/from host 00:0c:f6:69:f8:69:
    (wlan host 00:0c:f6:69:f8:69 and subtype beacon) or (wlan host 00:0c:f6:69:f8:69 and subtype probereq) or (wlan host 00:0c:f6:69:f8:69 and subtype proberesp)

    You can also use this capture filter:

    wlan host 00:0c:f6:69:f8:69 and (subtype beacon or subtype probereq or subtype proberesp)
  • Capture probe requests from wlan host 00:0c:f6:69:f8:69 and probe responses from wlan host: 00:24:2c:69:f8:69
    (wlan host 00:0c:f6:69:f8:69 and subtype probereq) or (wlan host 00:24:2c:69:f8:69 and subtype proberesp)
  • Capture beacons, probe requests and probe responses to/from host 00:0c:f6:69:f8:69 or to/from host 00:24:2c:69:f8:69:
    (wlan host 00:0c:f6:69:f8:69 or wlan host 00:24:2c:69:f8:69) and (subtype beacon or subtype probereq or subtype proberesp)
  • Capture all packets from wlan src 00:24:2c:69:f8:69 except beacons, probe requests and probe responses:
    wlan src 00:24:2c:69:f8:69 and not subtype beacon and not subtype probereq and not subtype proberesp
  • Capture all association requests/responses, reassociation requests/responses, disassociation and (de)authentication frames and all eapols:
    (subtype assocreq or subtype assocresp or subtype reassocreq or subtype reassocresp or subtype disassoc or subtype auth or subtype deauth) or (ether proto 0x888e)
  • Capture all eapols, association requests/responses, reassociation requests/responses, disassociation and (de)authentication frames to/from wlan host 00:0c:f6:69:f8:69 or wlan host 00:24:2c:69:f8:69:
    (wlan host 00:0c:f6:69:f8:69 or wlan host 00:24:2c:69:f8:69) and (ether proto 0x888e or subtype assocreq or subtype assocresp or subtype reassocreq or subtype reassocresp or subtype disassoc or subtype auth or subtype deauth)
  • Capture all frames to/from wlan host 00:0c:f6:69:f8:69 or wlan host 00:24:2c:69:f8:69:
    wlan host 00:0c:f6:69:f8:69 or wlan host 00:24:2c:69:f8:69

Interesting links:
Understanding 802.11 Frame Types by Jim Geier
Ubuntu manual
Wireless Communications by Martin Land
WildPackets: Wireless LAN Overview
Packetstan: A blog about packets, tools, and bacon

Continue reading other exclusive posts by Joke Snelders »

Comments