This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is the filter string to capture packets with specific length for their LLC?

In order to find packets that the LLC exist in them, the diplay filter is simply "llc".
But how to contrive from that a filter for its length?


Edit #1 (18 May 2014 07:14 UTC):

The LLC is 8 bytes in length. Here's an example of such LLC header (in PDML format): http://pastebin.com/MKNy77Qa

Indeed, we're talking about WiFi packets. Sorry for omitting this detail.

The filter llc.control.ftype == "Unnumbered frame" seems to work despite that it's a WiFi packet. Can I rely on it?

asked 15 May '14, 08:25

Dor_lan's gravatar image

Dor_lan
21338
accept rate: 0%

edited 17 May '14, 23:30


I presume, from "the display filter is simply "llc"", that by "LLC" you mean the IEEE 802.2 LLC.

If so, then the LLC header is either 3 or 4 bytes long. If you want packets with a 3-byte header (which is almost all of them), you want unnumbered frames; if you want packets with a 4-byte header, you want non-unnumbered frames.

If by "capture packets" you mean "capture packets", i.e. you don't want Wireshark to even see those packets, the capture filter for packets with a 3-byte LLC header would, for Ethernet, be

ether[12:2] <= 1500 && (ether[16] & 0x03) == 0x03

where the first test checks that the type/length field in the Ethernet header has a value <= 1500 and thus is a length field - meaning that what follows should be an 802.2 LLC header - and the second test checks that the type in the control field of the LLC header is "unnumbered".

To check for packets with a 4-byte LLC header, do

ether[12:2] <= 1500 && (ether[16] & 0x03) != 0x03

For other network types, such as Wi-Fi, it'd be different - and somewhat complicated, assuming it's even possible, given that the link-layer header is variable-length. libpcap should really support filters for checking for LLC frame types, but it currently doesn't; I'll look at adding that (but that won't help until it shows up in a libpcap/WinPcap release and you have that version of libpcap/WinPcap on your system, with Wireshark using it).

If you've already captured the packets, and you only want to see the ones with a 3-byte LLC header, the display filter is

llc.control.ftype == "Unnumbered frame"

and for the ones with a 4-byte LLC header, it's

llc.control.ftype != "Unnumbered frame"
permanent link

answered 17 May '14, 15:49

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Indeed it's a WiFi packet. Would the last 2 filters work anyway? Please see me Edit. Thx!

(17 May '14, 23:31) Dor_lan

Yes, the display filters will work.

(17 May '14, 23:41) Guy Harris ♦♦

There is no length field in the LLC headers - at least not the one that I found so far. you could filter on eth.len if the LLC frames are flowing over ethernet and - given the LLC header itself is 3 bytes in size - substract 3

permanent link

answered 15 May '14, 14:01

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×16

question asked: 15 May '14, 08:25

question was seen: 2,014 times

last updated: 17 May '14, 23:41

p​o​w​e​r​e​d by O​S​Q​A