WIRELESS PACKET CAPTURE ANALYSIS FILTERS

==>Capture particular client traffic for sa/da/ra/ta:

((wlan.sa[4-5]==XX:XX || wlan.da[4-5]==XX:XX || wlan.ra[4-5]==XX:XX || wlan.ta[4-5]==XX:XX))

Example:
((wlan.sa[4-5]==e9:d4 || wlan.da[4-5]==e9:d4 || wlan.ra[4-5]==e9:d4 || wlan.ta[4-5]==e9:d4))

==>Here’s a Wireshark display filter to capture beacons for a specific BSSID

wlan.fc.type_subtype == 0x0008 && wlan.bssid == xx:xx:xx:xx:xx:xx

Example:
wlan.fc.type_subtype == 0x0008 && wlan.bssid == 06:02:02:0d:49:96

==>Capture retries of a station:

wlan.fc.retry eq1 and wlan.sa==” ” || wlan.ta== ” ”
wlan.fc.retry eq 0 and wlan.sa==” ” || wlan.ta==” “\

Example:
wlan.fc.retry eq 1 and wlan.ta==0d:c3 and wlan.sa==0d:c3
wlan.fc.retry eq 1 and wlan.ta==06:02:02:0d:49:96
#FOR WIFI THROUGHPUT TEST ANALYSIS:

wlan.fc.type_subtype == 0x001c && wlan.duration >2000

#OTHER HANDY WIFI PACKET FILTERS :

* Show only the beacon frames:
wlan.fc.type_subtype == 0x08
* Show everything except the beacon frames:
!wlan.fc.type_subtype == 0x08
* Show only beacon frames and ack frames:
(wlan.fc.type_subtype == 0x08) || (wlan.fc.type_subtype == 0x1d)
* Show everything except the beacon and ack frames
(!wlan.fc.type_subtype == 0x08) && (!wlan.fc.type_subtype == 0x1d)
” Capture only Ethernet type EAPOL” ether proto 0x888e
” Probe Requests” wlan[0] == 0x40
” No Probe Requests” wlan[0] != 0x40
” Probe Response” wlan[0] == 0x50
” No Probe Response” wlan[0] != 0x50
” Ack” wlan[0] == 0xd4
” No Ack” wlan[0] != 0xd4
” CF-End” wlan[0] == 0xe4
” No CF-End” wlan[0] != 0xe4
” Clear-to-send” wlan[0] == 0xc4
” No Clear-to-send” wlan[0] != 0xc4
” Beacon Frames – Probe Response/Request – Ack” wlan[0] == 0x80 or wlan[0] == 0x50 or wlan[0] == 0x40 or wlan[0] == 0xd4
” No Beacon Frames – No Probe Response/Request – No Ack” wlan[0] != 0x80 and wlan[0] != 0x50 and wlan[0] != 0x40 and wlan[0] != 0xd4
” Beacon Frames-Probe Resp/Req-Ack-CF-End-Clear-to-send” wlan[0] == 0x80 or wlan[0] == 0x50 or wlan[0] == 0x40 or wlan[0] == 0xd4 or wlan[0] == 0xe4 or wlan[0] == 0xc4
” No Beacon Frames-Probe Resp/Req-Ack-CF-End-Clear-to-send” wlan[0] != 0x80 and wlan[0] != 0x50 and wlan[0] != 0x40 and wlan[0] != 0xd4 and wlan[0] != 0xe4 and wlan[0] != 0xc4

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s