I am trying to troubleshoot a "choppy audio" issue with a wifi voice communication device. I have taken a packet capture using wireshark, however, I cannot seem to filter out any of the multicast audio packets. I see the device receive/join the multicast session, but then it's almost as if there are no audio packets getting to the badge. I have also done a completely open capture with no filters, and see the same thing. Anyone know how to capture and view this info in wireshark? asked 25 Feb '16, 10:15 WiresRDumb |
One Answer:
You could use the following display filter to show only the Multicast traffic: wlan.addr[:1] & 01 This display filter will only display packets with the Individual/Group (I/G) bit set (==1). For WLAN addresses, only the Destination and Receiver addresses may have the I/G bit set to 1. So to be more appropriate: (wlan.da[:1] & 01) || (wlan.ra[:1] & 01) answered 27 Feb '16, 15:30 Amato_C If you need to eliminate broadcast frames from the WiFi elements, then apply the following filter: !(wlan.addr == ff:ff:ff:ff:ff:ff) So the entire filter would be: (wlan.addr[:1] & 01) && !(wlan.addr == ff:ff:ff:ff:ff:ff) (28 Feb '16, 15:00) Amato_C Thank you Amato, I will try this today and let you know! (29 Feb '16, 06:01) WiresRDumb I tried this display filter on a capture I performed today and it was successful. Procedure I used:
(wlan.addr[:1] & 01) && !(wlan.addr == ff:ff:ff:ff:ff:ff) I was then able to see all the multicast traffic over the WiFi network without seeing the broadcast frames. (01 Mar '16, 09:24) Amato_C |
How is your capture setup?
I did an open capture, meaning that I had 6 AirPCAP NX adapters assigned to each of the surrounding 5Ghz channels (we're only doing 20Mhz wide). I used no capture filters, but when I use the display filter wlan.addr == ########## I see everything except the multicast audio packets.
I also took a second capture using the capture filter wlan host ########### and it did the same thing.
Maybe I'm stupid, but why do you expect the destination
wlan.addr
to be the individual MAC address of the receiving device in case of multicast?Maybe I'M stupid (haha) but I would expect the multicast audio packets coming to the device to have a destination address, right?
As Amato has answered in the meantime - the very idea of multicast is that the sender sends a single packet and all recipients interested in it receive it. To facilitate that, not only the IP destination address needs to be a multicast one, i.e. different from the individual addresses of the receiving devices, but the same is true also for the MAC addresses. So please apply the last version of display filter suggested by Amato and see whether you'll see any frames.