Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Filter out a string using a display filter

From: "j.snelders" <j.snelders () telfort nl>
Date: Fri, 14 May 2010 17:47:41 +0200
Hi Panos,

First question:
You can take a look at The "Filter Expression" dialog box
http://www.wireshark.org/docs/wsug_html_chunked/ChUseFilterToolbarSection.html
http://www.wireshark.org/docs/wsug_html_chunked/ChWorkFilterAddExpressionSection.html

Select:
Fieldname: IEEE 802.11 - IEEE 802.11 wireless LAN -> wlan.fc.type_subtype
Relation: ==

You will see Predefined values at the right side of the dialog box.

Or browse to:
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ieee80211.c?view=markup&pathrev=22102
To find the values search for:  MGT_PROBE_REQ          


Second question:
You can open the capture files with Microsoft Network Monitor 3.3 and filter
on "Description"
http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en


Hope this helps
Joan

On Fri, 14 May 2010 10:49:27 -0400 Anthony Murabito wrote:

Hi Panos,

The reference table you speak of is formally contained within the IEEE 
802.11 Standard. There may be some wireshark code you can look at, 
however, that may map all the type/subtypes out as well. Perhaps someone

on this mailing list can point you to that place, I don't know where it

is.


I don't have a good answer to your second question, however I can answer

the third. Probe Requests & Responses are a generic way for 802.11 
devices to exchange information. They are packed with information 
elements which can show security configurations, supported rates, 11n 
capabilities, proprietary information, etc. They are often used when an



802.11 device is in "Active Scanning" mode, to find out information 
about all local basic service sets.

-Anthony

On 05/14/2010 07:13 AM, Panagiotis Georgopoulos wrote:

Hello Antony and Guy,

   

On May 13, 2010, at 9:11 AM, Anthony Murabito wrote:

     

Hi Panos,

wlan.fc.type_subtype != 0x04&&  wlan.fc.type_subtype != 0x05
       

I.e., 802.11 probe packets don't contain the phrase "probe request" or
"probe response"; those strings are contained, instead, in Wireshark
and TShark (or, rather, in the library that both of them use to dissect
packets), and they use them when displaying the packet summary and
details.  What the probe request and response packets contain (along
with all other 802.11 packets) are a type and subtype field, with
particular values for particular packet types, and what you need to
check for are those packet types.
     


Thank you both very much for your replies, they were really helpful! Antony
provided a solution to the problem and Guy an explanation;-)

I get this know, however :

     a) is there a reference table somewhere that describes these values
e.g. that 0x04 is probe request and 0x05 is probe reply?
     b) is there a way to instruct Wireshark to filter based on the info
it presents in the info field for a packet? (which is what the user sees,

so

IMHO it makes much more sense)
     c) although this goes beyond the scope of this list, what are these
probe request and response 802.11 packets exactly? I was not seeing them

in

previous tests, why did they appear now?


     Thanks a lot in advance,
     Panos


   

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe



       


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: