I am using Wireshark 1.12.4 on Fedora. I am trying to use a capture filter to lessen the quantity of data I am storing to disk at a customer's site where I am logging traffic to trace an issue. They have 10 radios and I would like to capture all traffic to/from the radios and ignore everything else. This is rather trivial in the display filter as I can use
wlan.addr contains aa:bb:cc
with the OUI of the device since they are all the same vendor.
However, I'm not having luck with doing the same with a capture filter. The closest I have come is (wlan[0:4] & 0xFFFFFF00) == 0xAABBCC00 as the capture filter at least turned green on input. However, when I tried this, I did not get any packets captured.
asked 25 Mar '15, 14:42
Let's look at the BPF code of the following filter:
Run the following command to dump the BPF code
As you can see, this working wlan filter reads 4 or 2 bytes (ld, ldh) at different positions [8,6,2,0], which is equal 6 bytes for dst addr (starting at ) and 6 bytes for src addr (starting at ).
Now let's check your filter:
Your filter reads 4 bytes (ld) at position , so it should at least capture frames with dst addr of aa:bb:cc:*
I guess you would need the frames with src addr aa:bb:cc:* as well, so what you need is a combination of both.
I did not test that filter, but the BPF code looks O.K., so it should work.
answered 25 Mar '15, 17:38
Kurt Knochner ♦