Re: Capture filters for wlan

["j.snelders" <j.snelders () telfort nl>]

Thank you.

On Sat, 3 Jul 2010 10:56:25 -0700 Guy Harris wrote:
> On Jul 3, 2010, at 4:56 AM, j.snelders wrote:
>
> > ra capture filter
> > wlan[4:4]==0xb0141e30
>
> OK, I checked 802.11-2007, and the ra and ta are always in the same address
> field (unlike sa and da, which are in different address fields based on
the
> setting of To DS and From DS).
>
> So, with newer versions of libpcap, although you can't say "wlan ra XX:XX:XX:XX:XX:XX"
> or "wlan ta XX:XX:XX:XX:XX:XX", you can say "wlan addr1 XX:XX:XX:XX:XX:XX"
> to filter on the RA field and "wlan addr2 XX:XX:XX:XX:XX:XX" to filter on
> the TA field.
>
> I'll look at making "wlan ra" and "wlan ta" aliases for "wlan addr1" and
> "wlan addr2"; that's relatively straightforward.
>
> (BTW, this also found a bug wherein saying "wlan addr{1,2,3,4}" on anything
> other than a device returning 802.11 headers will crash the application
using
> libpcap/WinPcap; that bug is in all versions of libpcap/WinPcap that support
> "wlan addr{1,2,3,4}".)
>
> > wlan[4:4*]
> > * 4 seems to be the max
>
> Yes, it is, unfortunately, so you'd have to use two expressions to check
> all 6 octets.



       


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe