Hi there, When capturing wireless 802.11 packets in Wireshark, is there a way to apply capture filters such as filtering specific SSID's? The NIC is operating in monitor mode so it is capturing broadcast packets from other SSIDs that i do not want. Any help would be much appreciated. Thank you. Wireshark version 1.2.11 Ubuntu 10.10 asked 08 Feb '11, 14:02  taj |
3 Answers:
Although not really regarding capture filters in wireshark, maybe this helps: For generating the tracefiles I would recommend using airodumg-ng from the aircrack suite, especially when already running a linux OS. Sample command for filtering specific SSID would be: e.g. airodumg-ng -c 6 --bssid 00:13:29:11:22:33 -w /usr/sniffer/wireless-trace.pcap Another advantage is, that airodump only captures one beacon frame per AP, thereby keeping trace fil size and readability much better answered 10 Feb '11, 02:26  Landi |
Thanks Landi for your reply. One issue that i am getting is that when i run the above script; i am not getting the transmitted traffic. The test was performed on two machines connected via a ad-hoc connection and they were constantly pinging each other during the airmon-ng capture. However, when i run the tracefile in Wireshark, it does not show the ICMP (ping) packets, it shows the IEEE traffic which is what i want but i also need to see those ICMP packets too. Any ideas?? Really appreciate all your help. Taj answered 11 Feb '11, 05:08 taj |
filter: wlan.bssid eq mac_address_of_access_point answered 16 Feb '11, 08:43  vivekjo Yup that's the display filter - taj was looking for a capture filter (16 Feb '11, 10:24) Landi |
Sorry for the late answer - been busy...
Do you only see IEEE 802.11 frames ? Because afaik ad-hoc enables WEP encryption thus you see encrypted traffic inside wireshark. Those ICMP packets would then be displayed as 802.11 Data frames.
If that's the case, you would have to enter the encryption key under the protocol preferences of 802.11 and by this enable wireshark to decrypt and display whats inside those frames
Yes, im only seeing the IEEE 802.11 frames but i made sure that there was no security enabled on the adhoc network as i already that i wouldn't see the encrypted content. Any ideas?
Thanks again for your help.
Taj
urks... good question - did you completely disable security by setting No encryption and OPEN authentication ? My next guess would be setup was no encryption but shared authentication, which actually is a very weak way of "encrypting" wireless frames...
I just tried to setup ad-hoc to make a test trace, but my smartphone won't do ad-hoc, so next time I got thee stations, I will rerun the setup and take a look at my traces if I see the same problem.
Pls keep me updated on your case