Wireshark-users: Re: [Wireshark-users] Filter out a string using a display filter
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Panagiotis Georgopoulos" <panos@xxxxxxxxxxxxxxxx>
Date: Fri, 14 May 2010 12:13:05 +0100
Hello Antony and Guy,

> 
> On May 13, 2010, at 9:11 AM, Anthony Murabito wrote:
> 
> > Hi Panos,
> >
> > wlan.fc.type_subtype != 0x04 && wlan.fc.type_subtype != 0x05
> 
> I.e., 802.11 probe packets don't contain the phrase "probe request" or
> "probe response"; those strings are contained, instead, in Wireshark
> and TShark (or, rather, in the library that both of them use to dissect
> packets), and they use them when displaying the packet summary and
> details.  What the probe request and response packets contain (along
> with all other 802.11 packets) are a type and subtype field, with
> particular values for particular packet types, and what you need to
> check for are those packet types.


Thank you both very much for your replies, they were really helpful! Antony
provided a solution to the problem and Guy an explanation;-)

I get this know, however :

	a) is there a reference table somewhere that describes these values
e.g. that 0x04 is probe request and 0x05 is probe reply?
	b) is there a way to instruct Wireshark to filter based on the info
it presents in the info field for a packet? (which is what the user sees, so
IMHO it makes much more sense)
	c) although this goes beyond the scope of this list, what are these
probe request and response 802.11 packets exactly? I was not seeing them in
previous tests, why did they appear now?


	Thanks a lot in advance,
	Panos