I'm currently capturing traffic in tshark and applying a display filter like to capture only probe request: tshark -n -l -i wlan0 -R 'wlan.fc.type_subtype == 0x0004 && wlan_mgt.ssid != "" && wlan.fcs_good == 1' -T fields -e wlan.sa -e wlan_mgt.ssid My trace are so huge as there's no capture filter, in tcpdump style, but I can't find anything for 802.11 How can I create a capture filter that would limit my traffic to Probe request only? Or at least management frames or ... Thanks! asked 03 Nov '15, 10:08  TomLaBaude |
2 Answers:
By reading the pcap-filter man page, which documents the syntax of libpcap/WinPcap capture filters as used by tcpdump/WinDump, Wireshark, etc., in particular the part describing the "type" and "subtype" keywords, and then noticing that one of the possible "subtype" values is "probe-req", so that "subtype probe-req" would be the filter.
If you want management frames in general, that'd be "type mgt", as per that man page. answered 03 Nov '15, 14:22  Guy Harris ♦♦ |
Add wlan.fc.type == 0 to your filter to only get management frames. Null data frames also have subtype of 4. answered 04 Feb '16, 12:41  Ted Wards |
Hi Ted, thanks for answering, but this is a display filter, not a capture filter. Guy gave me the answer.