Both Mac & Matt are currently studying for their final CWNP exam – CWAP! And have been making notes and tips along the way so we wanted to share some with you guys.
A lot of these Wireshark filters below we got from the guys over at CTS but we have added a few more that we have found useful and we will keep adding along the way of our journey!
Basic filter:
- wlan.addr == 00:11:22:33:44:55 (Mac address)
Filter on only
authentication:
- wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x000b
Filter on only
association request:
- wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0000
Filter on only
association response:
- wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0001
Filter on only probe
request:
- wlan.addr == 00:11:22:33:44:55 (Mac address)&& wlan.fc.type_subtype == 0x0004
Filter on only probe
response:
- wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0005
4 way handshake
filter:
- wlan.addr == 00:11:22:33:44:55 (Mac address) && eapol
Filter by SSID:
Filter by AP:
- wlan.bssid == “AP MAC Address”
Power Management:
- wlan.fc.pwrmgt == 1 (or 0)
Retransmissions:
- Retransmissions:
wlan.fc.retry==1
- Retries to DS:
wlan.fc.retry==1 && wlan.fc.tods==1
- Retries from DS:
wlan.fc.retry==1 && wlan.fc.fromds==1
Filter Addresses:
- MAC Address: wlan.addr == 00:11:22:33:44:55 (Mac address)
- Transmitter address: wlan.ta == 00:11:22:33:44:55 (Mac address)
- Receiver address: wlan.ra == 00:11:22:33:44:55 (Mac address)
- Source address: wlan.sa == 00:11:22:33:44:55 (Mac address)
- Destination address: wlan.da == 00:11:22:33:44:55 (Mac address)
802.11 Management Frames:
- All management frames:
wlan.fc.type == 0
- Association request:
wlan.fc.type_subtype == 0
- Association response:
wlan.fc.type_subtype == 1
- Re-association request:
wlan.fc.type_subtype == 2
- Re-association response:
wlan.fc.type_subtype == 3
- Probe request:
wlan.fc.type_subtype == 4
- Probe response:
wlan.fc.type_subtype == 5
- Beacons: wlan.fc.type_subtype
== 8
- ATIMs: wlan.fc.type_subtype
== 9
- Disassociations:
wlan.fc.type_subtype == 10
- Authentications:
wlan.fc.type_subtype == 11
- De-authentications:
wlan.fc.type_subtype == 12
- Actions: wlan.fc.type_subtype
== 13
802.11 Control Frames:
- All control frames:
wlan.fc.type == 1
- Block ack requests:
wlan.fc.type_subtype == 24
- Block ACKs:
wlan.fc.type_subtype == 25
- PS-Polls:
wlan.fc.type_subtype == 26
- Ready to Sends:
wlan.fc.type_subtype == 27
- Clear to sends:
wlan.fc.type_subtype == 28
- ACKs: wlan.fc.type_subtype ==
29
- CF-Ends: wlan.fc.type_subtype
== 30
- CF-Ends/CF-ACKs:
wlan.fc.type_subtype == 31
802.11 Data Frames:
- All Data frames: wlan.fc.type == 2
- Data: wlan.fc.type_subtype ==
32
- Data + CF-ACK:
wlan.fc.type_subtype == 33
- Data + CF-Poll:
wlan.fc.type_subtype == 34
- Data + CF-ACK+CF-Poll:
wlan.fc.type_subtype == 35
- Null: wlan.fc.type_subtype ==
36
- CF-ACK: wlan.fc.type_subtype
== 37
- CF-Poll: wlan.fc.type_subtype
== 38
- CF-ACK + CF-Poll:
wlan.fc.type_subtype == 39
- QoS data:
wlan.fc.type_subtype == 40
- QoS data + CF-ACK:
wlan.fc.type_subtype == 41
- QoS data + CF-Poll:
wlan.fc.type_subtype == 42
- QoS data + CF-ACK+CF-Poll:
wlan.fc.type_subtype == 43
- QoS Null:
wlan.fc.type_subtype == 44
- Qos CF-Poll:
wlan.fc.type_subtype == 46
- QoS CF-ACK+CF-Poll:
wlan.fc.type_subtype == 47
Radio Tap Header Information:
- Specific Channel:
radiotap.channel.freq == 5240 (frequency)
- Specific data rate:
radiotap.datarate == 6 (rate in mbps)
- RSSI: radiotap.dbm_antsignal
== -60 (rate in dbm)
Please feel free to comment if any of you guys have some other common useful filters that you use and can share with us ! 🙂