This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decoding UDP packets sent by Cisco AP in real time.

0

Hello,

We'd like to know if it's possible to decode UDP packets sent by Cisco APs on port 5555 in command line and also apply a filter for probe requests. If so, what would be the syntax?. Thanks in advance.

Kind Regards, Enrique

asked 20 Feb '14, 03:15

eroques's gravatar image

eroques
11112
accept rate: 0%


One Answer:

0

Yes.

If you right-click an example packet in Wireshark, select "Decode As" and select "AIROPEEK". If you're using Wireshark 1.8 or later, that would be "PEEKREMOTE".

For a display filter, you should be able to use "wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05" to grab the probe request/response exchanges. After the Airopeek header it's just normal 802.11.

For the command line question, if you meant Tshark, something like:

tshark -i {interface} -R 'wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05' -d udp.port==5555,airopeek

answered 26 Feb '14, 18:12

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%