This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Multicast Audio Packets

0

I am trying to troubleshoot a "choppy audio" issue with a wifi voice communication device. I have taken a packet capture using wireshark, however, I cannot seem to filter out any of the multicast audio packets. I see the device receive/join the multicast session, but then it's almost as if there are no audio packets getting to the badge. I have also done a completely open capture with no filters, and see the same thing.

Anyone know how to capture and view this info in wireshark?

asked 25 Feb '16, 10:15

WiresRDumb's gravatar image

WiresRDumb
6112
accept rate: 0%

How is your capture setup?

(25 Feb '16, 13:53) Jaap ♦

I did an open capture, meaning that I had 6 AirPCAP NX adapters assigned to each of the surrounding 5Ghz channels (we're only doing 20Mhz wide). I used no capture filters, but when I use the display filter wlan.addr == ########## I see everything except the multicast audio packets.

I also took a second capture using the capture filter wlan host ########### and it did the same thing.

(26 Feb '16, 05:18) WiresRDumb

Maybe I'm stupid, but why do you expect the destination wlan.addr to be the individual MAC address of the receiving device in case of multicast?

(26 Feb '16, 14:50) sindy

Maybe I'M stupid (haha) but I would expect the multicast audio packets coming to the device to have a destination address, right?

(29 Feb '16, 06:01) WiresRDumb

As Amato has answered in the meantime - the very idea of multicast is that the sender sends a single packet and all recipients interested in it receive it. To facilitate that, not only the IP destination address needs to be a multicast one, i.e. different from the individual addresses of the receiving devices, but the same is true also for the MAC addresses. So please apply the last version of display filter suggested by Amato and see whether you'll see any frames.

(29 Feb '16, 06:06) sindy

One Answer:

0

You could use the following display filter to show only the Multicast traffic:

wlan.addr[:1] & 01

This display filter will only display packets with the Individual/Group (I/G) bit set (==1). For WLAN addresses, only the Destination and Receiver addresses may have the I/G bit set to 1. So to be more appropriate:

(wlan.da[:1] & 01) || (wlan.ra[:1] & 01)

answered 27 Feb '16, 15:30

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

If you need to eliminate broadcast frames from the WiFi elements, then apply the following filter:

!(wlan.addr == ff:ff:ff:ff:ff:ff)

So the entire filter would be:

(wlan.addr[:1] & 01) && !(wlan.addr == ff:ff:ff:ff:ff:ff)

(28 Feb '16, 15:00) Amato_C

Thank you Amato, I will try this today and let you know!

(29 Feb '16, 06:01) WiresRDumb

I tried this display filter on a capture I performed today and it was successful. Procedure I used:

  1. Captured all traffic on channel. I did not use any capture filters.
  2. Applied the following display filter after stopped capture:

(wlan.addr[:1] & 01) && !(wlan.addr == ff:ff:ff:ff:ff:ff)

I was then able to see all the multicast traffic over the WiFi network without seeing the broadcast frames.

(01 Mar '16, 09:24) Amato_C