This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I need to capture mdns multicast from a device that is NOT connected to an access point. Is this possible? I am new to wireshark but not to networking. I have been searching for how to do this and messing with filters but nothing works so far.

asked 21 Mar '17, 13:40

pmycue's gravatar image

pmycue
6112
accept rate: 0%

Are you sure the device produces mdns when not connected to an AP? The link is down, so not obvious why mdns would be produced.

(21 Mar '17, 14:28) Bob Jones

Yes, bot for android using wifp2p and for iOS using multipeer they send mdns packets without access points in order to advertise services before setting up wifi direct or multipeer groups. I can see the services advertised by iOS from another iOS devices with neither connected to an access point and i can see the services advertised by Android from another android device without access points as well. What i am trying to do is see if /how i can see iOS from android and vice versa.

(22 Mar '17, 06:16) pmycue

OK, this sounds interesting. Can you give some more clues - what tool or app do you use to see these? If I can see this info on my equipment, I can capture traffic on all 802.11 2.4/5GHz channels that are legal in my domain and try and find them.

I just need some more tips to get started - I want to be sure my phone(s) pick this up as well so when I look I have a chance of finding them.

Some of these devices use anonymous MAC addresses while probing and with likely other behavior. Could make it a challenge here if that feature is in play.

(22 Mar '17, 08:22) Bob Jones

I may be able to give you an android sample app that does this, but anything that uses wifip2p on android or multipeer (MPC) on iOS will do, just have it forget any access point and leave wifi on.I don't think android does the anonymous mac. In any case i am having trouble getting wireshark to filter on anything but i am just starting working with this and likely that is my mistake.

(22 Mar '17, 08:45) pmycue
1

Hello @pmycue and @Bob Jones, I would like to make a suggestion in that pre-association discovery (PAD) of services are carried over Action frames - specifically Public Action Frames or Protected Dual of Public Action frames.

Both the Public and Protected Dual of Public Action Frames are able to carry Generic Advertisement Service (GAS) information. GAS provides functionality that enables WiFi devices to discover the availability of information related to desired network services either prior to joining a BSS or after joining the BSS. Originally GAS provided very little about network services, but with 802.11aq, that changed. (Note 11aq is not officially released).

Here is a link with more information about the IEEE task group for 11aq:

https://mentor.ieee.org/802.11/dcn/13/11-13-1313-04-0000-tgaq-mini-tutorial.ppt

The link should download a PowerPoint.

What filters to use?

  1. (wlan.fc.type_subtype == 0x000d) ---All Action frames

  2. (wlan.fc.type_subtype == 0x000d)&& (wlan_mgt.fixed.category_code == 4) ---Public Action Frames only - not sure if this will work. I have to verify

  3. (wlan.fc.type_subtype == 0x000d)&& (wlan_mgt.fixed.category_code == 9)
    ---Protected Dual of Public Action Frames only - not sure if this will work. I have to verify.

Please note that all the above filters are display filters. This means you can only apply them AFTER the capture is complete. I would recommend capturing on 1 channel (e.g., channel 6) for a few minutes. Then apply the above filters.

I will try to perform a capture and see what I observe in the next few days. But this may be a start?

(22 Mar '17, 20:02) Amato_C

Thank you, i have started having some success after discovering that there are wifip2p keywords for filtering as well. AN odd thing, my device shows its mac address in settings as 2c:0e:3d:bd:25:ab BUT in the trace, it shows up as 2c:0e:3d:bd:25:ab WHICH is why i had such a hard time finding its frames. It is clearly the right device, i have all others turned off and it identifies it as a samsung s7 properly.

(23 Mar '17, 06:53) pmycue

sorry, shows in settings as 2c:0e:3d:bd:25:ab but 2e:0e:3d:bd:25:ab in logs

(23 Mar '17, 06:54) pmycue

The different MAC addresses make sense.

2c:0e:3d:bd:25:ab = This is a universally administered address and is uniquely assigned to a device by its manufacturer. The first three octets (in transmission order) identify the organization that issued the identifier and are known as the Organizationally Unique Identifier (OUI). In this case, 2c:0e:3d is registered to Samsung.

2e:0e:3d:bd:25:ab = This is a locally administered address and does not need to be registered with the IEEE. The local addresses are typically used by devices for P2P or Mobile Hotspot.

A good P2P filter is = wlan_mgt.ssid contains "DIRECT"

All WiFi P2P connections must have the word DIRECT in their SSID per the specification.

@pmycue = Are you still seeing mdns multicast traffic when not connected to an AP? Are you only seeing mdns traffic while attempting to connect via P2P or have already established a P2P session?

(23 Mar '17, 07:58) Amato_C

@Amato,

Thanks for the detail and the link. Interesting new technology.

(23 Mar '17, 12:22) Bob Jones
showing 5 of 9 show 4 more comments
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×11

question asked: 21 Mar '17, 13:40

question was seen: 1,778 times

last updated: 23 Mar '17, 12:22

p​o​w​e​r​e​d by O​S​Q​A