This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Here's my command:

tshark -i iface -o wlan.enable_decryption:TRUE -2 -R ip -T fields -e eth.dst -e ip.src -e ip.len

Actually the -R is "ip && !ip == 192.168.0.0/24" but the code display here seems bent on replacing '&' with html entities.

Anyway, I have WPA credentials in ~/.wireshark/80211_keys and this works for nodes that subsequently connect to the network, but the first field (eth.dst) is always blank. I've also tried eth.addr, same thing.

How can I get what I want here, namely, the destination MAC address, the IP source address, and the packet length?

asked 21 Apr '15, 12:40

mk27's gravatar image

mk27
21337
accept rate: 0%


but the first field (eth.dst) is always blank. I've also tried eth.addr, same thing.

which is totally normal, if you are looking at wifi/wlan traffic, as it does not have an ethernet header.

Please try one of the following fields:

-e wlan.addr -e wlan.ra -e wlan.sa -e wlan.ta -e wlan.da

For more details, please check the following link:

https://www.wireshark.org/docs/dfref/w/wlan.html

Regards
Kurt

permanent link

answered 21 Apr '15, 14:00

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×76
×2

question asked: 21 Apr '15, 12:40

question was seen: 1,413 times

last updated: 21 Apr '15, 14:00

p​o​w​e​r​e​d by O​S​Q​A