Hi, This is a bit of a dumb question but I have been struggling with this for an hour or so without getting a resolution. I have a capture file containing WiFi packets. I want to filter out all packets not going to or from a particular access point. There are thousands of packets in the trace so I just want to watch what is happening between my 4 clients and the access point. Should be easy enough. When I enter the required display filter, it appears in green, but when I apply it, no packets are displayed. This is the same whether I type in the source and destination in manually or I right click on a packet and select apply as filter. The capture is IEEE802 and RadioTap. IP address filtering works so it is not that the display filter is not working. I am sure I have used this in the past. The inverse of the filter doesn't work either - it displays all packets including those with the selected MAC address. Thanks in anticipation. (The same issue applies to older versions as well as the newest so it must be something I am doing wrong). asked 11 Mar '13, 04:27 DBBarrass |
One Answer:
That filter only matches packets that contain an Ethernet header, so it will not match any packets with an 802.11 header (except for ones that have an Ethernet packet encapsulated within them, and thus have both 802.11 and Ethernet headers). For 802.11 packets, you would need the filter "wlan.src == 04:f0:21:03:7d:c0". (Note that this will not match a packet that was sent by some other MAC address to an access point with the MAC address of 04:f0:21:03:7d:c0.) (And, yes, this means that there is no such thing as a generic MAC address display filter. That is a deficiency of the current display filter mechanism.) answered 12 Mar '13, 03:27 Guy Harris ♦♦ edited 12 Mar '13, 03:28 Aaargh - so obvious! Thanks a lot. Should have read the manual more closely. Thanks a bunch. (12 Mar '13, 10:40) DBBarrass |
What display filter are you using? 802.11 has more than just source and destination MAC addresses; which MAC addresses are you checking?
Hi Guy, thanks for the reply. The filter I am using is eth.src == 04:f0:21:03:7d:c0 also used in conjunction with eth.dst and the same MAC address so I can (hopefully) see both side of the conversation.
I have successfully used a capture filter using ether host with the same MAC address and this works well, I end up with a capture file containing only traffic relating to the WiFi access point I am tracing. However, this obviously doesn't work with an existing capture file containing traffic from several access points and clients.
Is there a way of uploading a (small) capture file if this would help?
Yes, you can do that on http://www.cloudshark.org and post the URL here after uploading the file.