Wireshark-users: Re: [Wireshark-users] Capture filters for wlan
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 3 Jul 2010 10:56:25 -0700
On Jul 3, 2010, at 4:56 AM, j.snelders wrote:

> ra capture filter
> wlan[4:4]==0xb0141e30

OK, I checked 802.11-2007, and the ra and ta are always in the same address field (unlike sa and da, which are in different address fields based on the setting of To DS and From DS).

So, with newer versions of libpcap, although you can't say "wlan ra XX:XX:XX:XX:XX:XX" or "wlan ta XX:XX:XX:XX:XX:XX", you can say "wlan addr1 XX:XX:XX:XX:XX:XX" to filter on the RA field and "wlan addr2 XX:XX:XX:XX:XX:XX" to filter on the TA field.

I'll look at making "wlan ra" and "wlan ta" aliases for "wlan addr1" and "wlan addr2"; that's relatively straightforward.

(BTW, this also found a bug wherein saying "wlan addr{1,2,3,4}" on anything other than a device returning 802.11 headers will crash the application using libpcap/WinPcap; that bug is in all versions of libpcap/WinPcap that support "wlan addr{1,2,3,4}".)

> wlan[4:4*]
> * 4 seems to be the max

Yes, it is, unfortunately, so you'd have to use two expressions to check all 6 octets.