WN Blog 002 – Wireshark Filters
Both Mac & Matt are currently studying for their final CWNP exam – CWAP! And have been making notes and tips along the way so we wanted to share some with you guys.
A lot of these Wireshark filters below we got from the guys over at CTS but we have added a few more that we have found useful and we will keep adding along the way of our journey!
Basic filter:
wlan.addr == 00:11:22:33:44:55 (Mac address)
Filter on only authentication:
wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x000b
Filter on only association request:
wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0000
Filter on only association response:
wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0001
Filter on only probe request:
wlan.addr == 00:11:22:33:44:55 (Mac address)&& wlan.fc.type_subtype == 0x0004
Filter on only probe response:
wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0005
4 way handshake filter:
wlan.addr == 00:11:22:33:44:55 (Mac address) && eapol
Filter by SSID:
wlan_mgmt.SSID == “SSID”
Filter by AP:
wlan.bssid == “AP MAC Address”
Power Management:
wlan.fc.pwrmgt == 1 (or 0)
Retransmissions:
Retransmissions: wlan.fc.retry==1
Retries to DS: wlan.fc.retry==1 && wlan.fc.tods==1
Retries from DS: wlan.fc.retry==1 && wlan.fc.fromds==1
Filter Addresses:
MAC Address: wlan.addr == 00:11:22:33:44:55 (Mac address)
Transmitter address: wlan.ta == 00:11:22:33:44:55 (Mac address)
Receiver address: wlan.ra == 00:11:22:33:44:55 (Mac address)
Source address: wlan.sa == 00:11:22:33:44:55 (Mac address)
Destination address: wlan.da == 00:11:22:33:44:55 (Mac address)
802.11 Management Frames:
All management frames: wlan.fc.type == 0
Association request: wlan.fc.type_subtype == 0
Association response: wlan.fc.type_subtype == 1
Re-association request: wlan.fc.type_subtype == 2
Re-association response: wlan.fc.type_subtype == 3
Probe request: wlan.fc.type_subtype == 4
Probe response: wlan.fc.type_subtype == 5
Beacons: wlan.fc.type_subtype == 8
ATIMs: wlan.fc.type_subtype == 9
Disassociations: wlan.fc.type_subtype == 10
Authentications: wlan.fc.type_subtype == 11
De-authentications: wlan.fc.type_subtype == 12
Actions: wlan.fc.type_subtype == 13
802.11 Control Frames:
All control frames: wlan.fc.type == 1
Block ack requests: wlan.fc.type_subtype == 24
Block ACKs: wlan.fc.type_subtype == 25
PS-Polls: wlan.fc.type_subtype == 26
Ready to Sends: wlan.fc.type_subtype == 27
Clear to sends: wlan.fc.type_subtype == 28
ACKs: wlan.fc.type_subtype == 29
CF-Ends: wlan.fc.type_subtype == 30
CF-Ends/CF-ACKs: wlan.fc.type_subtype == 31
802.11 Data Frames:
All Data frames: wlan.fc.type == 2
Data: wlan.fc.type_subtype == 32
Data + CF-ACK: wlan.fc.type_subtype == 33
Data + CF-Poll: wlan.fc.type_subtype == 34
Data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 35
Null: wlan.fc.type_subtype == 36
CF-ACK: wlan.fc.type_subtype == 37
CF-Poll: wlan.fc.type_subtype == 38
CF-ACK + CF-Poll: wlan.fc.type_subtype == 39
QoS data: wlan.fc.type_subtype == 40
QoS data + CF-ACK: wlan.fc.type_subtype == 41
QoS data + CF-Poll: wlan.fc.type_subtype == 42
QoS data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 43
QoS Null: wlan.fc.type_subtype == 44
Qos CF-Poll: wlan.fc.type_subtype == 46
QoS CF-ACK+CF-Poll: wlan.fc.type_subtype == 47
Radio Tap Header Information:
Specific Channel: radiotap.channel.freq == 5240 (frequency)
Specific data rate: radiotap.datarate == 6 (rate in mbps)
RSSI: radiotap.dbm_antsignal == -60 (rate in dbm)
Please feel free to comment if any of you guys have some other common useful filters that you use and can share with us !
