This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unable to set a display filter for a MAC address

0

Using Wireshark with a wireless interface card, I have been foiled at using display filters for a MAC address.

After capturing traffic and seeing the desired MAC address in many Source and Destination rows, the right-click > Apply as Filter > Selected command fills in the Filter: field with the apparently correct eth.src statement with the desired MAC address, but this causes all displayed rows to go blank. Clearing the filter brings back all the rows.

I'm running Wireshark on a MacBook Air.

Thanks in advance for your help!

asked 08 Apr '13, 13:39

SwiftAero's gravatar image

SwiftAero
56227
accept rate: 0%


One Answer:

4

Did you try one of these display filters:

Source Addr: wlan.sa == xx:xx:xx:xx:xx:xx
Destination Addr: wlan.da == xx:xx:xx:xx:xx:xx

Regards
Kurt

answered 08 Apr '13, 15:42

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 Apr '13, 15:59

Excellent! That works great. Thank you very much!

I'm also interested in understanding why eth.src == xx:xx:xx:xx:xx:xx does not work, especially because Wireshark suggests that when the column is right-clicked. Any thoughts?

(08 Apr '13, 18:05) SwiftAero

I'm also interested in understanding why eth.src == xx:xx:xx:xx:xx:xx does not work,

because there is no ethernet header.

especially because Wireshark suggests that when the column is right-clicked. Any thoughts?

I think the GUI-generated display filters are not 'prepared' to handle situations when there is no ethernet header. You can add an enhancement bug at https://bugs.wireshark.org if you want that 'fixed'

(09 Apr '13, 03:07) Kurt Knochner ♦

It doesn't work because the addresses in question are put into the protocol tree as part of the 802.11 link-layer header, and thus begin with "wlan."; Ethernet addresses are put in as part of the Ethernet header, and thus begin with "eth."

What Wireshark should have is something such as "{src,dot} host XX:XX:XX:XX:XX:XX", i.e. a syntax like the libpcap capture filter syntax, which will look for packets where the {source,destination} link-layer address (or either address, if neither "src" nor "dot" are specified) is equal to the specified address, regardless of whether the packet is Ethernet or 802.11 or... (as long as it has IEEE 802-style MAC addresses; not all link layers do).

It currently doesn't. However, the development version should, if you have 802.11 packets, suggest "wlan.sa = XX:XX:XX:XX:XX:XX" if you Command-click the Src column and "wlan.da = XX:XX:XX:XX:XX:XX" if you Command-click the Dst column.

(09 Apr '13, 20:05) Guy Harris ♦♦

TTE dissector solves this differently, it picks up the id's of "eth.src" and "eth.dst" and uses those to add proto tree items. These could be added as hidden (gasp) items to ieee80211 wlan.sa and wlan.da items.

The real solution would be to register (per frame) with the column type what hf is applicable for the current contents of the column, so proper filter expressions can be composed.

(09 Apr '13, 23:12) Jaap ♦