Re: Capture filters for wlan

[Guy Harris <guy () alum mit edu>]

On Jul 3, 2010, at 4:56 AM, j.snelders wrote:

> ra capture filter
> wlan[4:4]==0xb0141e30

OK, I checked 802.11-2007, and the ra and ta are always in the same address field (unlike sa and da, which are in 
different address fields based on the setting of To DS and From DS).

So, with newer versions of libpcap, although you can't say "wlan ra XX:XX:XX:XX:XX:XX" or "wlan ta XX:XX:XX:XX:XX:XX", 
you can say "wlan addr1 XX:XX:XX:XX:XX:XX" to filter on the RA field and "wlan addr2 XX:XX:XX:XX:XX:XX" to filter on 
the TA field.

I'll look at making "wlan ra" and "wlan ta" aliases for "wlan addr1" and "wlan addr2"; that's relatively 
straightforward.

(BTW, this also found a bug wherein saying "wlan addr{1,2,3,4}" on anything other than a device returning 802.11 
headers will crash the application using libpcap/WinPcap; that bug is in all versions of libpcap/WinPcap that support 
"wlan addr{1,2,3,4}".)

> wlan[4:4*]
> * 4 seems to be the max

Yes, it is, unfortunately, so you'd have to use two expressions to check all 6 octets.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe