WN Blog 002 – Wireshark Filters

Both Mac & Matt are currently studying for their final CWNP exam – CWAP! And have been making notes and tips along the way so we wanted to share some with you guys.

A lot of these Wireshark filters below we got from the guys over at CTS but we have added a few more that we have found useful and we will keep adding along the way of our journey!

Basic filter:

  • wlan.addr == 00:11:22:33:44:55 (Mac address)

Filter on only authentication:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x000b

Filter on only association request:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0000

Filter on only association response:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0001

Filter on only probe request:

  • wlan.addr == 00:11:22:33:44:55 (Mac address)&& wlan.fc.type_subtype == 0x0004

Filter on only probe response: 

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0005

4 way handshake filter:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && eapol

Filter by SSID:

  • wlan_mgmt.SSID == “SSID”

Filter by AP:

  • wlan.bssid == “AP MAC Address”

Power Management:

  • wlan.fc.pwrmgt == 1 (or 0)

Retransmissions:

  • Retransmissions: wlan.fc.retry==1
  • Retries to DS: wlan.fc.retry==1 && wlan.fc.tods==1
  • Retries from DS: wlan.fc.retry==1 && wlan.fc.fromds==1

Filter Addresses:

  • MAC Address: wlan.addr == 00:11:22:33:44:55 (Mac address)
  • Transmitter address: wlan.ta == 00:11:22:33:44:55 (Mac address)
  • Receiver address: wlan.ra == 00:11:22:33:44:55 (Mac address)
  • Source address: wlan.sa == 00:11:22:33:44:55 (Mac address)
  • Destination address: wlan.da == 00:11:22:33:44:55 (Mac address)

802.11 Management Frames:

  • All management frames: wlan.fc.type == 0
  • Association request: wlan.fc.type_subtype == 0
  • Association response: wlan.fc.type_subtype == 1
  • Re-association request: wlan.fc.type_subtype == 2
  • Re-association response: wlan.fc.type_subtype == 3
  • Probe request: wlan.fc.type_subtype == 4
  • Probe response: wlan.fc.type_subtype == 5
  • Beacons: wlan.fc.type_subtype == 8
  • ATIMs: wlan.fc.type_subtype == 9
  • Disassociations: wlan.fc.type_subtype == 10
  • Authentications: wlan.fc.type_subtype == 11
  • De-authentications: wlan.fc.type_subtype == 12
  • Actions: wlan.fc.type_subtype == 13

802.11 Control Frames:

  • All control frames: wlan.fc.type == 1
  • Block ack requests: wlan.fc.type_subtype == 24
  • Block ACKs: wlan.fc.type_subtype == 25
  • PS-Polls: wlan.fc.type_subtype == 26
  • Ready to Sends: wlan.fc.type_subtype == 27
  • Clear to sends: wlan.fc.type_subtype == 28
  • ACKs: wlan.fc.type_subtype == 29
  • CF-Ends: wlan.fc.type_subtype == 30
  • CF-Ends/CF-ACKs: wlan.fc.type_subtype == 31

802.11 Data Frames:

  •  All Data frames: wlan.fc.type == 2
  • Data: wlan.fc.type_subtype == 32
  • Data + CF-ACK: wlan.fc.type_subtype == 33
  • Data + CF-Poll: wlan.fc.type_subtype == 34
  • Data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 35
  • Null: wlan.fc.type_subtype == 36
  • CF-ACK: wlan.fc.type_subtype == 37
  • CF-Poll: wlan.fc.type_subtype == 38
  • CF-ACK + CF-Poll: wlan.fc.type_subtype == 39
  • QoS data: wlan.fc.type_subtype == 40
  • QoS data + CF-ACK: wlan.fc.type_subtype == 41
  • QoS data + CF-Poll: wlan.fc.type_subtype == 42
  • QoS data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 43
  • QoS Null: wlan.fc.type_subtype == 44
  • Qos CF-Poll: wlan.fc.type_subtype == 46
  • QoS CF-ACK+CF-Poll: wlan.fc.type_subtype == 47

Radio Tap Header Information:

  • Specific Channel: radiotap.channel.freq == 5240 (frequency)
  • Specific data rate: radiotap.datarate == 6 (rate in mbps)
  • RSSI: radiotap.dbm_antsignal == -60 (rate in dbm)

Please feel free to comment if any of you guys have some other common useful filters that you use and can share with us ! 🙂

Stay up to date with the WiFi Ninjas
Never miss a blog or podcast again!