This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

This is a bit of a dumb question but I have been struggling with this for an hour or so without getting a resolution. I have a capture file containing WiFi packets. I want to filter out all packets not going to or from a particular access point. There are thousands of packets in the trace so I just want to watch what is happening between my 4 clients and the access point. Should be easy enough. When I enter the required display filter, it appears in green, but when I apply it, no packets are displayed. This is the same whether I type in the source and destination in manually or I right click on a packet and select apply as filter. The capture is IEEE802 and RadioTap. IP address filtering works so it is not that the display filter is not working. I am sure I have used this in the past. The inverse of the filter doesn't work either - it displays all packets including those with the selected MAC address. Thanks in anticipation. (The same issue applies to older versions as well as the newest so it must be something I am doing wrong).

asked 11 Mar '13, 04:27

DBBarrass's gravatar image

DBBarrass
11112
accept rate: 0%

What display filter are you using? 802.11 has more than just source and destination MAC addresses; which MAC addresses are you checking?

(11 Mar '13, 20:00) Guy Harris ♦♦

Hi Guy, thanks for the reply. The filter I am using is eth.src == 04:f0:21:03:7d:c0 also used in conjunction with eth.dst and the same MAC address so I can (hopefully) see both side of the conversation.

I have successfully used a capture filter using ether host with the same MAC address and this works well, I end up with a capture file containing only traffic relating to the WiFi access point I am tracing. However, this obviously doesn't work with an existing capture file containing traffic from several access points and clients.

Is there a way of uploading a (small) capture file if this would help?

(12 Mar '13, 02:40) DBBarrass

Yes, you can do that on http://www.cloudshark.org and post the URL here after uploading the file.

(12 Mar '13, 02:51) Jasper ♦♦

The filter I am using is eth.src == 04:f0:21:03:7d:c0

That filter only matches packets that contain an Ethernet header, so it will not match any packets with an 802.11 header (except for ones that have an Ethernet packet encapsulated within them, and thus have both 802.11 and Ethernet headers).

For 802.11 packets, you would need the filter "wlan.src == 04:f0:21:03:7d:c0". (Note that this will not match a packet that was sent by some other MAC address to an access point with the MAC address of 04:f0:21:03:7d:c0.)

(And, yes, this means that there is no such thing as a generic MAC address display filter. That is a deficiency of the current display filter mechanism.)

permanent link

answered 12 Mar '13, 03:27

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 12 Mar '13, 03:28

Aaargh - so obvious! Thanks a lot. Should have read the manual more closely. Thanks a bunch.

(12 Mar '13, 10:40) DBBarrass
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×157

question asked: 11 Mar '13, 04:27

question was seen: 9,520 times

last updated: 12 Mar '13, 10:40

p​o​w​e​r​e​d by O​S​Q​A