For example, I want to capture traffic between an AP (00:00:00:11:11:11) and a terminal (00:00:00:22:22:22.) by the AirPCap I have been able to capture all 802.11 frames by defining capture filter: (ether src host 00:00:00:11:11:11 and ether dst host 00:00:00:22:22:22) or (ether dst host 00:00:00:11:11:11 and ether src host 00:00:00:22:22:22) However, when I try to capture all frames without this capture filter and later on apply "display filter" below, I see no frames are displayed...??? I guess both filters are of same meaning? (eth.src == 00:00:00:11:11:11 and eth.dst == 00:00:00:22:22:22) || (eth.dst == 00:00:00:11:11:11 and eth.src == 00:00:00:22:22:22) Strange is...even I apply display filter eth.src == 00:00:00:11:11:11...I see no frame? I am keen to learn the Wireshark...just installed for 2 days. Can anyone teach me ...if my display filter syntax incorrect? Thank you in advance. asked 16 Mar '12, 07:17  WiresharkJW |
One Answer:
I have got the answer from someone...just to share for beginner if you want to capture 802.11 frames For capture filter: use "ether src host" / "ether dst host" For display filter: use "wlan.sa" / "wlan.da" answered 16 Mar '12, 09:28 WiresharkJW |
