I am using Wireshark 1.12.4 on Fedora. I am trying to use a capture filter to lessen the quantity of data I am storing to disk at a customer's site where I am logging traffic to trace an issue. They have 10 radios and I would like to capture all traffic to/from the radios and ignore everything else. This is rather trivial in the display filter as I can use wlan.addr contains aa:bb:cc with the OUI of the device since they are all the same vendor. However, I'm not having luck with doing the same with a capture filter. The closest I have come is (wlan[0:4] & 0xFFFFFF00) == 0xAABBCC00 as the capture filter at least turned green on input. However, when I tried this, I did not get any packets captured. Thanks! asked 25 Mar '15, 14:42 shadowrider |
One Answer:
Let's look at the BPF code of the following filter:
Run the following command to dump the BPF code
Output:
As you can see, this working wlan filter reads 4 or 2 bytes (ld, ldh) at different positions [8,6,2,0], which is equal 6 bytes for dst addr (starting at [0]) and 6 bytes for src addr (starting at [6]). Now let's check your filter:
Output:
Your filter reads 4 bytes (ld) at position [0], so it should at least capture frames with dst addr of aa:bb:cc:* I guess you would need the frames with src addr aa:bb:cc:* as well, so what you need is a combination of both. Solution:
Output:
I did not test that filter, but the BPF code looks O.K., so it should work. Regards answered 25 Mar '15, 17:38 Kurt Knochner ♦ |
Well, it does appear to be a valid filter but when I apply it, I don't capture any packets.
I looked at the output of the generated code and see that it is different for the wireless interface vs the default. Not sure if that explains it. Here it is for both (OUI is 00:aa:bb)
Its also interesting that the code for the simple filter is quite different for the wireless interface vs the default:
Packets from “eth0” have Ethernet headers, which have a fixed length and format and have only two MAC addresses to test. Packets from “wlan4” have 802.11 headers, which have a variable length and format and have somewhere between two and four MAC addresses to test; that causes the code to be more complicated and, due to limitations in the BPF compiler’s optimizer, require that the optimizer be disabled, so that the optimizer can’t do any simplifications of the code.
And the variable-length-and-format headers also mean that you have to know whether the packet has 2, 3, or 4 MAC addresses in order to know at what offsets the MAC addresses are.