Both Mac & Matt are currently studying for their final CWNP exam – CWAP! And have been making notes and tips along the way so we wanted to share some with you guys.
A lot of these Wireshark filters below we got from the guys over at CTS but we have added a few more that we have found useful and we will keep adding along the way of our journey!
Basic filter:
- wlan.addr == 00:11:22:33:44:55 (Mac address)
Filter on only authentication:
- wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x000b
Filter on only association request:
- wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0000
Filter on only association response:
- wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0001
Filter on only probe request:
- wlan.addr == 00:11:22:33:44:55 (Mac address)&& wlan.fc.type_subtype == 0x0004
Filter on only probe response:
- wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0005
4 way handshake filter:
- wlan.addr == 00:11:22:33:44:55 (Mac address) && eapol
Filter by SSID:
- wlan_mgmt.SSID == “SSID”
Filter by AP:
- wlan.bssid == “AP MAC Address”
Power Management:
- wlan.fc.pwrmgt == 1 (or 0)
Retransmissions:
- Retransmissions: wlan.fc.retry==1
- Retries to DS: wlan.fc.retry==1 && wlan.fc.tods==1
- Retries from DS: wlan.fc.retry==1 && wlan.fc.fromds==1
Filter Addresses:
- MAC Address: wlan.addr == 00:11:22:33:44:55 (Mac address)
- Transmitter address: wlan.ta == 00:11:22:33:44:55 (Mac address)
- Receiver address: wlan.ra == 00:11:22:33:44:55 (Mac address)
- Source address: wlan.sa == 00:11:22:33:44:55 (Mac address)
- Destination address: wlan.da == 00:11:22:33:44:55 (Mac address)
802.11 Management Frames:
- All management frames: wlan.fc.type == 0
- Association request: wlan.fc.type_subtype == 0
- Association response: wlan.fc.type_subtype == 1
- Re-association request: wlan.fc.type_subtype == 2
- Re-association response: wlan.fc.type_subtype == 3
- Probe request: wlan.fc.type_subtype == 4
- Probe response: wlan.fc.type_subtype == 5
- Beacons: wlan.fc.type_subtype == 8
- ATIMs: wlan.fc.type_subtype == 9
- Disassociations: wlan.fc.type_subtype == 10
- Authentications: wlan.fc.type_subtype == 11
- De-authentications: wlan.fc.type_subtype == 12
- Actions: wlan.fc.type_subtype == 13
802.11 Control Frames:
- All control frames: wlan.fc.type == 1
- Block ack requests: wlan.fc.type_subtype == 24
- Block ACKs: wlan.fc.type_subtype == 25
- PS-Polls: wlan.fc.type_subtype == 26
- Ready to Sends: wlan.fc.type_subtype == 27
- Clear to sends: wlan.fc.type_subtype == 28
- ACKs: wlan.fc.type_subtype == 29
- CF-Ends: wlan.fc.type_subtype == 30
- CF-Ends/CF-ACKs: wlan.fc.type_subtype == 31
802.11 Data Frames:
- All Data frames: wlan.fc.type == 2
- Data: wlan.fc.type_subtype == 32
- Data + CF-ACK: wlan.fc.type_subtype == 33
- Data + CF-Poll: wlan.fc.type_subtype == 34
- Data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 35
- Null: wlan.fc.type_subtype == 36
- CF-ACK: wlan.fc.type_subtype == 37
- CF-Poll: wlan.fc.type_subtype == 38
- CF-ACK + CF-Poll: wlan.fc.type_subtype == 39
- QoS data: wlan.fc.type_subtype == 40
- QoS data + CF-ACK: wlan.fc.type_subtype == 41
- QoS data + CF-Poll: wlan.fc.type_subtype == 42
- QoS data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 43
- QoS Null: wlan.fc.type_subtype == 44
- Qos CF-Poll: wlan.fc.type_subtype == 46
- QoS CF-ACK+CF-Poll: wlan.fc.type_subtype == 47
Radio Tap Header Information:
- Specific Channel: radiotap.channel.freq == 5240 (frequency)
- Specific data rate: radiotap.datarate == 6 (rate in mbps)
- RSSI: radiotap.dbm_antsignal == -60 (rate in dbm)
Please feel free to comment if any of you guys have some other common useful filters that you use and can share with us ! 🙂