I want to write a capture filter for this display filter "tzsp && wlan.ra==<some mac="" address="">" in tshark. I can write "udp port 37008" in place for tzsp but I cannot find anywhere about how to write capture filter for wlan.ra==<some mac="" address=""> . EDIT: I am using a mikrotik routerboard to stream the sniffed 802.11 frames to my laptop over an IP network using TZSP encapsulation. Please help, Thanks in advance. asked 02 Sep '16, 05:42  tatsugot edited 06 Sep '16, 05:28  sindy |
2 Answers:
Tzsp means that Mikrotik encapsulates the captured 802.11 frames into UDP, so the fact that the interface on which you capture indicates link type as Ethernet is OK. But this also means that the libpcap's capture filter processes the captured frames as Ethernet ones. Unfortunately, you cannot tell libpcap to ignore first N octets of an Ethernet frame and interpret the rest as 802.11. So you would have to use a complex capture filter expression like I am afraid that the absolute position of the
The display filter works another way, it doesn't care at which place in the protocol hierarchy inside a frame the protocol field in question is placed. So in your particular case, where the IP layer may occur twice in a frame, a display filter answered 06 Sep '16, 04:51 sindy edited 06 Sep '16, 05:17 |
According to the pcap-filter manual page you should be looking at answered 02 Sep '16, 07:32  Jaap ♦ thanks for answering sir. I had tried it earlier like--- Input: tshark -i eno1 -f "udp port 37008 && wlan ra 01:40:96:00:00:03" and I am getting this Output: tshark: Invalid capture filter "udp port 37008 && wlan ra 01:40:96:00:00:03" for interface 'wlo1'. That string isn't a valid capture filter ('ra' is only supported on 802.11 with 802.11 headers). See the User's Guide for a description of the capture filter syntax. What should I do? (04 Sep '16, 05:27) tatsugot what does (04 Sep '16, 06:37) sindy @sindy it returns Data link types of interface eno1 (use option -y to set): EN10MB (Ethernet) DOCSIS (DOCSIS) (05 Sep '16, 23:01) tatsugot And despite that, if you capture on that interface without any filter, you get 802.11 frames with radiotap header etc.? (06 Sep '16, 01:54) sindy @sindy In wireshark if I put the display filter as tzsp && wlan.ra == 01:40:96:00:00:03 I can see the packets I need to see. (06 Sep '16, 02:44) tatsugot That sounds strange, so:
(06 Sep '16, 02:53) sindy @sindy I am using a mikrotik routerboard to stream the sniffer stream to my laptop. Then I am using tshark to capture traffic and store it in pcap files. The traffic is streamed via ethernet so I am using eno1. If I use the filter Jaap suggested it gives me this tshark: Invalid capture filter "udp port 37008 && wlan ra 01:40:96:00:00:03" for interface 'wlo1'. That string isn't a valid capture filter ('ra' is only supported on 802.11 with 802.11 headers). See the User's Guide for a description of the capture filter syntax. (06 Sep '16, 04:25) tatsugot showing 5 of 7 show 2 more comments |
@sindy udp[X1:4] = 0xaabbccdd and udp[X1+4:2]=0xeeff why have you broken it in two parts
because the capture filter can work with maximum 32 bits (4 bytes) at a time, so a 6-octet MAC address needs to be handled this way. As stated at the pcap-filter man page, "Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one."