MAC conversation filter

Question

I have been working with Wireshark, AirPcap and Cascade for a few years now. One thing I frequently spend time on when I analyze a log is setting up what I’ll call a “MAC level conversation” filter. This is similar to the TCP/IP conversation filter except of course it is at the lowest level. For example, if I want to restrict the display to show only packets going to/from an AP and STA, my filter looks like this:

(wlan.addr == 00:03:7f:04:09:7c) || (wlan.addr == 00:03:7f:04:09:6b)

The problem with this filter is two-fold: 1) There are packets triggered from other STA that clutter the log e.g. Probe Responses 2) In the presence of retransmissions, it takes a significant amount of manual post-log analysis to determine which packet(s) were actually received properly (acknowledged.)

Ideally, I would like to define a filter that was truly restricted to the properly transmitted and received packets between two devices. With this filter, for example, you would only see a retransmitted packet if and only if it was acknowledged by the correct device. The filter would also have enough “smarts” to use sequence numbers to determine if a packet acknowledgment was recognized - in other words, you would never see more than one packet of each sequence number after applying the filter.

It seems to me that a certain amount of scripting is required; one problem is that ACK packets do not have source addresses.

Anyone ever solve this problem?

Answer 1

The filter would also have enough “smarts” to use sequence numbers to determine if a packet acknowledgment was recognized

There are no sequence numbers in 802.11 ACK frames, so you can't build a 'simple' filter to find frames without an ACK.

In order to filter out un-acknowledged packets we would need some smarts to check for an ACK - any idea how to do this?

The 'smarts' could a script you'll have to develop.

So, here is what you can do: Use tshark to print the DATA and ACK frames for a certain station. Then use a script to find several consecutive DATA frames. Those are (most certainly) the ones without ACK. Additionally you can look at the time delta between the data frames and the next ACK frame.

tshark -nr wlan.pcap -Y "(wlan.sa == 00:0d:93:82:36:3a and wlan.da == 00:0c:41:82:b2:53 and wlan.fc.type_subtype == 0x20) or (wlan.ra == 00:0d:93:82:36:3a and wlan.fc.type_subtype == 0x1d)" -T fields -e frame.number -e frame.time_relative -e wlan.sa -e wlan.da -e wlan.ra -e wlan.fc.type_subtype -E header=y -E separator=;

Explanation of the filter:

DATA frames: wlan.sa == 00:0d:93:82:36:3a and wlan.da == 00:0c:41:82:b2:53 and wlan.fc.type_subtype == 0x20
ACK frames: wlan.ra == 00:0d:93:82:36:3a and wlan.fc.type_subtype == 0x1d

Sample output for the following capture file:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=wpa-Induction.pcap

439;13.405660000;00:0d:93:82:36:3a;00:0c:41:82:b2:53;00:0c:41:82:b2:55;0x20
440;13.405677000;;;00:0d:93:82:36:3a;0x1d
451;13.517648000;00:0d:93:82:36:3a;00:0c:41:82:b2:53;00:0c:41:82:b2:55;0x20
457;13.656629000;00:0d:93:82:36:3a;00:0c:41:82:b2:53;00:0c:41:82:b2:55;0x20
458;13.656641000;;;00:0d:93:82:36:3a;0x1d
459;13.667624000;00:0d:93:82:36:3a;00:0c:41:82:b2:53;00:0c:41:82:b2:55;0x20
460;13.667637000;;;00:0d:93:82:36:3a;0x1d

There no real retransmissons in that capture file, but if you look at frames 451 and 457 you'll get an idea how it will look like. Those frames are two data frames without an ACK inbetween.

Regards
Kurt

Answer 2

I think you probably want to use && instead of ||, as in:

(wlan.addr == 00:03:7f:04:09:7c) && (wlan.addr == 00:03:7f:04:09:6b)

That probably won't give you everything you want, but it should be closer.