I am using Wireshark with the AirPcapNx adapter to capture 802.11 packets. Is there a Wireshark CAPTURE filter that can be utilized to filter out (NOT capture) particular packet types/subtypes? More specifically, I would like to capture no data frames (type 10) except for null data frames (subtype 0100). asked 26 Jan '12, 14:15 S_P |
One Answer:
Nevermind. After some searching and experimenting, it looks like "type" and "subtype" will do the trick. For example, "(not type data) or (type data and subtype null)" will filter out all data packets except for the null data packets. answered 26 Jan '12, 19:18 S_P |
I tried using: "not type data". No 802.11 data packets appear to have been captured. Without running a simultaneous non-filtered capture for comparison, which I am not presently capable of doing, it is difficult to know which packets were filtered out. Does anyone have any experience with this filter expression when used for an 802.11 packet capture?