Wireshark-users: Re: [Wireshark-users] Capture filters for wlan
From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Sun, 4 Jul 2010 15:42:55 +0200
Thank you.

On Sat, 3 Jul 2010 10:56:25 -0700 Guy Harris wrote:
>On Jul 3, 2010, at 4:56 AM, j.snelders wrote:
>
>> ra capture filter
>> wlan[4:4]==0xb0141e30
>
>OK, I checked 802.11-2007, and the ra and ta are always in the same address
>field (unlike sa and da, which are in different address fields based on
the
>setting of To DS and From DS).
>
>So, with newer versions of libpcap, although you can't say "wlan ra XX:XX:XX:XX:XX:XX"
>or "wlan ta XX:XX:XX:XX:XX:XX", you can say "wlan addr1 XX:XX:XX:XX:XX:XX"
>to filter on the RA field and "wlan addr2 XX:XX:XX:XX:XX:XX" to filter on
>the TA field.
>
>I'll look at making "wlan ra" and "wlan ta" aliases for "wlan addr1" and
>"wlan addr2"; that's relatively straightforward.
>
>(BTW, this also found a bug wherein saying "wlan addr{1,2,3,4}" on anything
>other than a device returning 802.11 headers will crash the application
using
>libpcap/WinPcap; that bug is in all versions of libpcap/WinPcap that support
>"wlan addr{1,2,3,4}".)
>
>> wlan[4:4*]
>> * 4 seems to be the max
>
>Yes, it is, unfortunately, so you'd have to use two expressions to check
>all 6 octets.