This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

new to filters

0

I'm new to filters in wireshark. Any filter I try like tcp or http or ip clears all packets. I'm specifically trying to see only broadcasts with the filter eth.addr == ff:ff:ff:ff:ff:ff . Applying this filter clears all packets. When I remove the filter, I see all kinds of broadcast packets. I'm running wireshark 1.6.7 as root, capturing on wlan0.mon

asked 08 Jun '12, 07:33

jbagg's gravatar image

jbagg
6113
accept rate: 0%

edited 08 Jun '12, 07:34


One Answer:

2

If you're capturing on the wlan0.mon interface, then your packets are probably not Ethernet encapsulated, but IEEE 802.11 encapsulated. Try a filter of wlan.da == ff:ff:ff:ff:ff:ff instead, assuming that's the field you're interested in.

Remember that you can always left-click within the packet details pane on the field that you are interested in and see what the filter name is for that field in the status bar. You can also right-click on the field and choose either the "Apply as Filter" or "Prepare a Filter" options from the menu to avoid some extra typing.

answered 08 Jun '12, 07:55

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thank you, wlan.addr works!

(08 Jun '12, 08:05) jbagg