Hello, I'm hoping someone out there can help me. i'm looking to create a capture filter. That will capture arp request/response packets from a specific wlan host that are encapsulated in capwap. The arp information for requests is located in the LLC header under type and its hex code is 0x0806. Any ideas on this? asked 12 Jan '17, 16:00 j0eCamel |
One Answer:
It does not appear so. Let's look at some background information.
So if we look at the available primitives, we do see some primitives that are specific to LLC (llc and llc Fitype). But when we enter these primitives into Wireshark and press "Compile Selected BPF's", we get the message that the llc primitives can only be used on raw ATM data. From your email above, you are not capturing ATM traffic.
where proto = protocol, expr = offset of the field, and size = length in bytes. For example, wlan[0:1]=0x80 would capture only Beacon frames. So your best bet is to use the wlan[expr:size] The problem is that the LLC must be in the same place for every frame (i.e., no added fields in certain fields.) answered 13 Jan '17, 07:47 Amato_C showing 5 of 6 show 1 more comments |
Sorry - my mistake on first line. It should say: "It does appear so".
My mistake
Thank you for the response. i'm assuming that this info (0x806) is in the same place for ever capwap arp request. i'm basing this on the fact that using the display filter "wlan.addr == <mac address=""> and arp" displays the capwap arp traffic for a specific device.
Also how would i go about figuring out the offset and size in the packet for wlan[expr:size]?
So I was able to capture some WLAN traffic that has LLC. It appears that the LLC is outside the WLAN field, so wlan[expr:size] will not work.
And I stated before, llc will only work for ATM frames according to the Wireshark "Compile selected BFS's" output.
excuse my ignorance on this but what do you mean by "Compile selected BFS's"? But looking at the man page, there are two sections one for ether proto protocol and one for LLC which discusses 802.11 frames
which i think is the info i want to grab from or does this apply to only ATM frames you were referring to?
ether proto protocol the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI, Token Ring, or 802.11 header. When filtering for most protocol identifiers on FDDI, Token Ring, or 802.11, the filter checks only the protocol ID field of an LLC header in so-called SNAP format with an Organizational Unit Identifier (OUI) of 0x000000, for encapsulated Ethernet; it doesn't check whether the packet is in SNAP format with an OUI of 0x000000.
llc IEEE 802.11 data packets;
Also in these packets the 0806 hex always shows up on bytes 92-93 of the packet and bytes 84-85 for the replies. is there a capture filter to look for those values?
@j0eCamel
Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information.
@j0eCamel - sorry should have explained myself about the "Compile selected BPF's"
Launch Wireshark Legacy. Make sure it is the Legacy version. You can determine if you are really using the Legacy version by doing the following after Wireshark launches: Help / About Wireshark / After the Compiled with you should see "GTK+". The new Wireshark will have Qt
After Wireshark Legacy is launched, select Capture / Options
In the top pane of the window, select the Interface you will capture on
In the "Capture filter" type llc
To the right of the Capture filter, you should see "Compile selected BPF's". Press it.
A window will be displayed saying: "llc supported only on raw ATM
BPF = Berkeley Packet Filtering