Re: pcap filter for 802.11

[Guy Harris <guy () alum mit edu>]

On Apr 16, 2004, at 3:01 AM, Chen Hsia Lee wrote:

>         I have just started using libpcap and am still unfamiliar with it.
> What is the filter expression to pick up only wireless 802.11 packets?

If you're capturing on an 802.11 interface, by definition all the 
packets you will get are wireless 802.11 packets.

If you're capturing on some other type of interface, by definition 
*none* of the packets you will get are wireless 802.11 packets.

As such, there's no filter expression to pick up only wireless 802.11 
packets - if you want that, capture on an 802.11 interface.

Do you mean, for example, "what is the filter expression to pick up 
only 802.11 *management* packets?"  If so, then you have to construct a 
filter that looks at the 802.11 header to figure out the packet type; 
there's no built-in filter expression for that.  See the 802.11 spec, 
and the tcpdump man page section on filter expressions; you'd use one 
of the

              expr relop expr
                     True if the relation holds, where relop is one of  
>,  <,
                     >=,  <=, =, !=, and expr is an arithmetic 
expression com-
                     posed of integer constants (expressed in standard 
C  syn-
                     tax),  the  normal binary operators [+, -, *, /, 
&, |], a
                     length operator, and special packet data  
accessors.   To
                     access data inside the packet, use the following 
syntax:
                          proto [ expr : size ]
                     Proto  is  one of ether, fddi, tr, wlan, ppp, 
slip, link,
                     ip, arp, rarp, tcp, udp, icmp or ip6, and  
indicates  the
                     protocol  layer  for  the index operation.  
(ether, fddi,
                     wlan, tr, ppp, slip  and  link  all  refer  to  
the  link
                     layer.)   Note that tcp, udp and other upper-layer 
proto-
                     col types only apply to IPv4,  not  IPv6  (this  
will  be
                     fixed  in  the future).  The byte offset, relative 
to the
                     indicated protocol layer, is  given  by  expr.   
Size  is
                     optional  and  indicates the number of bytes in 
the field
                     of interest; it can be either  one,  two,  or  
four,  and
                     defaults  to  one.  The length operator, indicated 
by the
                     keyword len, gives the length of the packet.

                     For example, `ether[0] & 1 != 0'  catches  all  
multicast
                     traffic.   The  expression `ip[0] & 0xf != 5' 
catches all
                     IP packets  with  options.   The  expression  
`ip[6:2]  &
                     0x1fff  = 0' catches only unfragmented datagrams 
and frag
                     zero of fragmented datagrams.  This check  is  
implicitly
                     applied  to  the  tcp  and  udp  index  
operations.   For
                     instance, tcp[0] always means the first byte of  
the  TCP
                     header,  and never means the first byte of an 
intervening
                     fragment.

                     Some offsets and field values may be expressed  as 
 names
                     rather  than  as  numeric values.  The following 
protocol
                     header field offsets are available: icmptype  
(ICMP  type
                     field),  icmpcode  (ICMP  code  field), and 
tcpflags (TCP
                     flags field).

                     The following ICMP type field values are 
available: icmp-
                     echoreply,  icmp-unreach,  icmp-sourcequench,  
icmp-redi-
                     rect, icmp-echo,  icmp-routeradvert,  
icmp-routersolicit,
                     icmp-timxceed,  icmp-paramprob,  icmp-tstamp, 
icmp-tstam-
                     preply, icmp-ireq,  icmp-ireqreply,  icmp-maskreq, 
 icmp-
                     maskreply.

                     The  following TCP flags field values are 
available: tcp-
                     fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.

              Primitives may be combined using:

                     A parenthesized group of primitives and operators 
(paren-
                     theses are special to the Shell and must be 
escaped).

                     Negation (`!' or `not').

                     Concatenation (`&&' or `and').

                     Alternation (`||' or `or').

              Negation  has highest precedence.  Alternation and 
concatenation
              have equal precedence and associate left to  right.   
Note  that
              explicit  and  tokens,  not  juxtaposition, are now 
required for
              concatenation.

expressions to test that; you'd test the link-layer header, so "proto" 
would be "link" or "wlan" (they mean the same thing).

>         Also, what is the option for tcpdump to print the 802.11 header?

"-e", as is the case with all link-layer headers.

> Which field is used to determine that a packet is an 802.11 packet?

See above - there *is* no field to determine that.  There is a field in 
the 802.11 header to determine whether an 802.11 frame is a control 
frame, management frame, or data frame, but those are *all* 802.11 
frames.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.