This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ethernet address display filter on 802.11 frames

0

For example, I want to capture traffic between an AP (00:00:00:11:11:11) and a terminal (00:00:00:22:22:22.) by the AirPCap

I have been able to capture all 802.11 frames by defining capture filter:

(ether src host 00:00:00:11:11:11 and ether dst host 00:00:00:22:22:22) or (ether dst host 00:00:00:11:11:11 and ether src host 00:00:00:22:22:22)

However, when I try to capture all frames without this capture filter and later on apply "display filter" below, I see no frames are displayed...??? I guess both filters are of same meaning?

(eth.src == 00:00:00:11:11:11 and eth.dst == 00:00:00:22:22:22) || (eth.dst == 00:00:00:11:11:11 and eth.src == 00:00:00:22:22:22)

Strange is...even I apply display filter eth.src == 00:00:00:11:11:11...I see no frame?

I am keen to learn the Wireshark...just installed for 2 days.

Can anyone teach me ...if my display filter syntax incorrect?

Thank you in advance.

asked 16 Mar '12, 07:17

WiresharkJW's gravatar image

WiresharkJW
1112
accept rate: 100%


One Answer:

0

I have got the answer from someone...just to share for beginner if you want to capture 802.11 frames

For capture filter: use "ether src host" / "ether dst host" For display filter: use "wlan.sa" / "wlan.da"

answered 16 Mar '12, 09:28

WiresharkJW's gravatar image

WiresharkJW
1112
accept rate: 100%