Both Mac & Matt are currently studying for their final CWNP exam – CWAP! And have been making notes and tips along the way so we wanted to share some with you guys.

A lot of these Wireshark filters below we got from the guys over at CTS but we have added a few more that we have found useful and we will keep adding along the way of our journey!

Basic filter:

• wlan.addr == 00:11:22:33:44:55 (Mac address)

Filter on only authentication:

• wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x000b

Filter on only association request:

• wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0000

Filter on only association response:

• wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0001

Filter on only probe request:

• wlan.addr == 00:11:22:33:44:55 (Mac address)&& wlan.fc.type_subtype == 0x0004

Filter on only probe response: 

• wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0005

4 way handshake filter:

• wlan.addr == 00:11:22:33:44:55 (Mac address) && eapol

Filter by SSID:

• wlan_mgmt.SSID == “SSID”

Filter by AP:

• wlan.bssid == “AP MAC Address”

Power Management:

• wlan.fc.pwrmgt == 1 (or 0)

Retransmissions:

• Retransmissions: wlan.fc.retry==1
• Retries to DS: wlan.fc.retry==1 && wlan.fc.tods==1
• Retries from DS: wlan.fc.retry==1 && wlan.fc.fromds==1

Filter Addresses:

• MAC Address: wlan.addr == 00:11:22:33:44:55 (Mac address)
• Transmitter address: wlan.ta == 00:11:22:33:44:55 (Mac address)
• Receiver address: wlan.ra == 00:11:22:33:44:55 (Mac address)
• Source address: wlan.sa == 00:11:22:33:44:55 (Mac address)
• Destination address: wlan.da == 00:11:22:33:44:55 (Mac address)

802.11 Management Frames:

• All management frames: wlan.fc.type == 0
• Association request: wlan.fc.type_subtype == 0
• Association response: wlan.fc.type_subtype == 1
• Re-association request: wlan.fc.type_subtype == 2
• Re-association response: wlan.fc.type_subtype == 3
• Probe request: wlan.fc.type_subtype == 4
• Probe response: wlan.fc.type_subtype == 5
• Beacons: wlan.fc.type_subtype == 8
• ATIMs: wlan.fc.type_subtype == 9
• Disassociations: wlan.fc.type_subtype == 10
• Authentications: wlan.fc.type_subtype == 11
• De-authentications: wlan.fc.type_subtype == 12
• Actions: wlan.fc.type_subtype == 13

802.11 Control Frames:

• All control frames: wlan.fc.type == 1
• Block ack requests: wlan.fc.type_subtype == 24
• Block ACKs: wlan.fc.type_subtype == 25
• PS-Polls: wlan.fc.type_subtype == 26
• Ready to Sends: wlan.fc.type_subtype == 27
• Clear to sends: wlan.fc.type_subtype == 28
• ACKs: wlan.fc.type_subtype == 29
• CF-Ends: wlan.fc.type_subtype == 30
• CF-Ends/CF-ACKs: wlan.fc.type_subtype == 31

802.11 Data Frames:

•  All Data frames: wlan.fc.type == 2
• Data: wlan.fc.type_subtype == 32
• Data + CF-ACK: wlan.fc.type_subtype == 33
• Data + CF-Poll: wlan.fc.type_subtype == 34
• Data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 35
• Null: wlan.fc.type_subtype == 36
• CF-ACK: wlan.fc.type_subtype == 37
• CF-Poll: wlan.fc.type_subtype == 38
• CF-ACK + CF-Poll: wlan.fc.type_subtype == 39
• QoS data: wlan.fc.type_subtype == 40
• QoS data + CF-ACK: wlan.fc.type_subtype == 41
• QoS data + CF-Poll: wlan.fc.type_subtype == 42
• QoS data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 43
• QoS Null: wlan.fc.type_subtype == 44
• Qos CF-Poll: wlan.fc.type_subtype == 46
• QoS CF-ACK+CF-Poll: wlan.fc.type_subtype == 47

Radio Tap Header Information:

• Specific Channel: radiotap.channel.freq == 5240 (frequency)
• Specific data rate: radiotap.datarate == 6 (rate in mbps)
• RSSI: radiotap.dbm_antsignal == -60 (rate in dbm)

Please feel free to comment if any of you guys have some other common useful filters that you use and can share with us ! 🙂