Charsley, Troy (Sudbury) said:
> Here is an example of a filter I am using:
> eth.src == 00:12:7f:ce:8d:70
...
> This is a beacon packet.
There's no such thing as a "beacon packet" on Ethernet, so this isn't an
Ethernet packet; "eth.src" is an Ethernet-specific field, and, as such,
appears only in Ethernet packets. Any comparison of a field that doesn't
exist in a packet returns "false".
This has nothing to do with airodump - the same problem would occur with
any other type of 802.11 capture (and would occur with FDDI captures,
Token Ring captures,etc.).
The MAC-address fields you can filter on in 802.11 packets are:
wlan.da - the DA field
wlan.sa - the SA field
wlan.ra - the RA field
wlan.TA - the TA field
wlan.bssid - the BSSID field
Perhaps we need, for example, some "pseudo-fields" that correspond to
source and destination addresses as displayed in the columns in the packet
list, so that you could do "src == foo" (which would match packets with a
source address corresponding to the host name "foo", where that could be
*any* type of host name, i.e. one corresponding to a MAC address or an
IPv4 address or an IPv6 address or...), "dst == 127.0.0.1" (which would
match only IPv4 packets; we'd need a syntax for addresses that lets us
infer the address type or types from the address string), and "addr ==
fe80::1" (which would match anything with a source *or* destination IPv6
address of fe80::1).
