Wireshark-users: Re: [Wireshark-users] Filter out a string using a display filter
From: Wes <wes_r@xxxxxxxxx>
Date: Fri, 14 May 2010 08:50:21 -0700 (PDT)
One way I use a lot for determining display filters is to click on the line you want to filter on in the middle pane, for example, probe request. Then in the bottom pane where it has the Hex values, you can see what that field's value is. Then in the Status bar at the bottom of Wireshark you will see some value within parentheses. In this case, it will be (wlan.fc.type_subtype). You can then use that string in the display filter and add the Relation (==, !=, etc) and then the 0x<Hexvalue> from the middle screen.

Of course the easier method is to let Wireshark do all this for you by right clicking on the field you want to filter with and selecting, Apply as Filter and then whether to select frames with that value or other parameters.

Hope this helps,

Wes

--- On Fri, 5/14/10, Anthony Murabito <anthony@xxxxxxxxxxx> wrote:

From: Anthony Murabito <anthony@xxxxxxxxxxx>
Subject: Re: [Wireshark-users] Filter out a string using a display filter
To: "'Community support list for Wireshark'" <wireshark-users@xxxxxxxxxxxxx>
Date: Friday, May 14, 2010, 10:49 AM

Hi Panos,

The reference table you speak of is formally contained within the IEEE 802.11 Standard. There may be some wireshark code you can look at, however, that may map all the type/subtypes out as well. Perhaps someone on this mailing list can point you to that place, I don't know where it is.

I don't have a good answer to your second question, however I can answer the third. Probe Requests & Responses are a generic way for 802.11 devices to exchange information. They are packed with information elements which can show security configurations, supported rates, 11n capabilities, proprietary information, etc. They are often used when an 802.11 device is in "Active Scanning" mode, to find out information about all local basic service sets.

-Anthony

On 05/14/2010 07:13 AM, Panagiotis Georgopoulos wrote:
Hello Antony and Guy,

On May 13, 2010, at 9:11 AM, Anthony Murabito wrote:

Hi Panos,

wlan.fc.type_subtype != 0x04 && wlan.fc.type_subtype != 0x05
I.e., 802.11 probe packets don't contain the phrase "probe request" or
"probe response"; those strings are contained, instead, in Wireshark
and TShark (or, rather, in the library that both of them use to dissect
packets), and they use them when displaying the packet summary and
details. What the probe request and response packets contain (along
with all other 802.11 packets) are a type and subtype field, with
particular values for particular packet types, and what you need to
check for are those packet types.

Thank you both very much for your replies, they were really helpful! Antony
provided a solution to the problem and Guy an explanation;-)

I get this know, however :

a) is there a reference table somewhere that describes these values
e.g. that 0x04 is probe request and 0x05 is probe reply?
b) is there a way to instruct Wireshark to filter based on the info
it presents in the info field for a packet? (which is what the user sees, so
IMHO it makes much more sense)
c) although this goes beyond the scope of this list, what are these
probe request and response 802.11 packets exactly? I was not seeing them in
previous tests, why did they appear now?


Thanks a lot in advance,
Panos



-----Inline Attachment Follows-----

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe