This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am trying to troubleshoot a "choppy audio" issue with a wifi voice communication device. I have taken a packet capture using wireshark, however, I cannot seem to filter out any of the multicast audio packets. I see the device receive/join the multicast session, but then it's almost as if there are no audio packets getting to the badge. I have also done a completely open capture with no filters, and see the same thing.

Anyone know how to capture and view this info in wireshark?

asked 25 Feb '16, 10:15

WiresRDumb's gravatar image

WiresRDumb
6112
accept rate: 0%

How is your capture setup?

(25 Feb '16, 13:53) Jaap ♦

I did an open capture, meaning that I had 6 AirPCAP NX adapters assigned to each of the surrounding 5Ghz channels (we're only doing 20Mhz wide). I used no capture filters, but when I use the display filter wlan.addr == ########## I see everything except the multicast audio packets.

I also took a second capture using the capture filter wlan host ########### and it did the same thing.

(26 Feb '16, 05:18) WiresRDumb

Maybe I'm stupid, but why do you expect the destination wlan.addr to be the individual MAC address of the receiving device in case of multicast?

(26 Feb '16, 14:50) sindy

Maybe I'M stupid (haha) but I would expect the multicast audio packets coming to the device to have a destination address, right?

(29 Feb '16, 06:01) WiresRDumb

As Amato has answered in the meantime - the very idea of multicast is that the sender sends a single packet and all recipients interested in it receive it. To facilitate that, not only the IP destination address needs to be a multicast one, i.e. different from the individual addresses of the receiving devices, but the same is true also for the MAC addresses. So please apply the last version of display filter suggested by Amato and see whether you'll see any frames.

(29 Feb '16, 06:06) sindy

You could use the following display filter to show only the Multicast traffic:

wlan.addr[:1] & 01

This display filter will only display packets with the Individual/Group (I/G) bit set (==1). For WLAN addresses, only the Destination and Receiver addresses may have the I/G bit set to 1. So to be more appropriate:

(wlan.da[:1] & 01) || (wlan.ra[:1] & 01)

permanent link

answered 27 Feb '16, 15:30

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

If you need to eliminate broadcast frames from the WiFi elements, then apply the following filter:

!(wlan.addr == ff:ff:ff:ff:ff:ff)

So the entire filter would be:

(wlan.addr[:1] & 01) && !(wlan.addr == ff:ff:ff:ff:ff:ff)

(28 Feb '16, 15:00) Amato_C

Thank you Amato, I will try this today and let you know!

(29 Feb '16, 06:01) WiresRDumb

I tried this display filter on a capture I performed today and it was successful. Procedure I used:

  1. Captured all traffic on channel. I did not use any capture filters.
  2. Applied the following display filter after stopped capture:

(wlan.addr[:1] & 01) && !(wlan.addr == ff:ff:ff:ff:ff:ff)

I was then able to see all the multicast traffic over the WiFi network without seeing the broadcast frames.

(01 Mar '16, 09:24) Amato_C
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×134
×27
×2

question asked: 25 Feb '16, 10:15

question was seen: 1,490 times

last updated: 01 Mar '16, 09:24

p​o​w​e​r​e​d by O​S​Q​A