One way I use a lot for determining display filters is to click on the line you want to filter on in the middle pane, for example, probe request. Then in the bottom pane where it has the Hex values, you can see what that field's value is. Then in the Status bar at the bottom of Wireshark you will see some value within parentheses. In this case, it will be (wlan.fc.type_subtype). You can then use that string in the display filter and add the Relation (==, !=, etc) and then the 0x<Hexvalue> from the middle screen.
Of course the easier method is to let Wireshark do all this for you by right clicking on the field you want to filter with and selecting, Apply as Filter and then whether to select frames with that value or other parameters.
Hope this helps,
Wes
--- On Fri, 5/14/10, Anthony Murabito
<anthony@xxxxxxxxxxx> wrote:
From: Anthony Murabito <anthony@xxxxxxxxxxx> Subject: Re: [Wireshark-users] Filter out a string using a display filter To: "'Community support list for Wireshark'" <wireshark-users@xxxxxxxxxxxxx> Date: Friday, May 14, 2010, 10:49 AM
Hi Panos,
The reference table you speak of is formally contained within the IEEE
802.11 Standard. There may be some wireshark code you can look at,
however, that may map all the type/subtypes out as well. Perhaps
someone on this mailing list can point you to that place, I don't know
where it is.
I don't have a good answer to your second question, however I can
answer the third. Probe Requests & Responses are a generic way for
802.11 devices to exchange information. They are packed with
information elements which can show security configurations, supported
rates, 11n capabilities, proprietary information, etc. They are often
used when an 802.11 device is in "Active Scanning" mode, to find out
information about all local basic service sets.
-Anthony
On 05/14/2010 07:13 AM, Panagiotis Georgopoulos wrote:
Hello Antony and Guy,
On May 13, 2010, at 9:11 AM, Anthony Murabito wrote:
Hi Panos,
wlan.fc.type_subtype != 0x04 && wlan.fc.type_subtype != 0x05
I.e., 802.11 probe packets don't contain the phrase "probe request" or "probe response"; those strings are contained, instead, in Wireshark and TShark (or, rather, in the library that both of them use to dissect packets), and they use them when displaying the packet summary and details. What the probe request and response packets contain (along with all other 802.11 packets) are a type and subtype field, with particular values for particular packet types, and what you need to check for are those packet types.
Thank you both very much for your replies, they were really helpful! Antony provided a solution to the problem and Guy an explanation;-)
I get this know, however :
a) is there a reference table somewhere that describes these values e.g. that 0x04 is probe request and 0x05 is probe reply? b) is there a way to instruct Wireshark to filter based on the info it presents in the info field for a packet? (which is what the user sees, so IMHO it makes much more sense) c) although this goes beyond the scope of this list, what are these probe request and response 802.11 packets exactly? I was not seeing them in previous tests, why did they appear now?
Thanks a lot in advance, Panos
-----Inline Attachment Follows-----
|