WN Blog 002 – Wireshark Filters

2 min read

Both Mac & Matt are currently studying for their final CWNP exam – CWAP! And have been making notes and tips along the way so we wanted to share some with you guys.

A lot of these Wireshark filters below we got from the guys over at CTS but we have added a few more that we have found useful and we will keep adding along the way of our journey!

Basic filter:

  • wlan.addr == 00:11:22:33:44:55 (Mac address)

Filter on only authentication:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x000b

Filter on only association request:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0000

Filter on only association response:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0001

Filter on only probe request:

  • wlan.addr == 00:11:22:33:44:55 (Mac address)&& wlan.fc.type_subtype == 0x0004

Filter on only probe response: 

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0005

4 way handshake filter:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && eapol

Filter by SSID:

  • wlan_mgmt.SSID == “SSID”

Filter by AP:

  • wlan.bssid == “AP MAC Address”

Power Management:

  • wlan.fc.pwrmgt == 1 (or 0)

Retransmissions:

  • Retransmissions: wlan.fc.retry==1
  • Retries to DS: wlan.fc.retry==1 && wlan.fc.tods==1
  • Retries from DS: wlan.fc.retry==1 && wlan.fc.fromds==1

Filter Addresses:

  • MAC Address: wlan.addr == 00:11:22:33:44:55 (Mac address)
  • Transmitter address: wlan.ta == 00:11:22:33:44:55 (Mac address)
  • Receiver address: wlan.ra == 00:11:22:33:44:55 (Mac address)
  • Source address: wlan.sa == 00:11:22:33:44:55 (Mac address)
  • Destination address: wlan.da == 00:11:22:33:44:55 (Mac address)

802.11 Management Frames:

  • All management frames: wlan.fc.type == 0
  • Association request: wlan.fc.type_subtype == 0
  • Association response: wlan.fc.type_subtype == 1
  • Re-association request: wlan.fc.type_subtype == 2
  • Re-association response: wlan.fc.type_subtype == 3
  • Probe request: wlan.fc.type_subtype == 4
  • Probe response: wlan.fc.type_subtype == 5
  • Beacons: wlan.fc.type_subtype == 8
  • ATIMs: wlan.fc.type_subtype == 9
  • Disassociations: wlan.fc.type_subtype == 10
  • Authentications: wlan.fc.type_subtype == 11
  • De-authentications: wlan.fc.type_subtype == 12
  • Actions: wlan.fc.type_subtype == 13

802.11 Control Frames:

  • All control frames: wlan.fc.type == 1
  • Block ack requests: wlan.fc.type_subtype == 24
  • Block ACKs: wlan.fc.type_subtype == 25
  • PS-Polls: wlan.fc.type_subtype == 26
  • Ready to Sends: wlan.fc.type_subtype == 27
  • Clear to sends: wlan.fc.type_subtype == 28
  • ACKs: wlan.fc.type_subtype == 29
  • CF-Ends: wlan.fc.type_subtype == 30
  • CF-Ends/CF-ACKs: wlan.fc.type_subtype == 31

802.11 Data Frames:

  •  All Data frames: wlan.fc.type == 2
  • Data: wlan.fc.type_subtype == 32
  • Data + CF-ACK: wlan.fc.type_subtype == 33
  • Data + CF-Poll: wlan.fc.type_subtype == 34
  • Data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 35
  • Null: wlan.fc.type_subtype == 36
  • CF-ACK: wlan.fc.type_subtype == 37
  • CF-Poll: wlan.fc.type_subtype == 38
  • CF-ACK + CF-Poll: wlan.fc.type_subtype == 39
  • QoS data: wlan.fc.type_subtype == 40
  • QoS data + CF-ACK: wlan.fc.type_subtype == 41
  • QoS data + CF-Poll: wlan.fc.type_subtype == 42
  • QoS data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 43
  • QoS Null: wlan.fc.type_subtype == 44
  • Qos CF-Poll: wlan.fc.type_subtype == 46
  • QoS CF-ACK+CF-Poll: wlan.fc.type_subtype == 47

Radio Tap Header Information:

  • Specific Channel: radiotap.channel.freq == 5240 (frequency)
  • Specific data rate: radiotap.datarate == 6 (rate in mbps)
  • RSSI: radiotap.dbm_antsignal == -60 (rate in dbm)

Please feel free to comment if any of you guys have some other common useful filters that you use and can share with us ! 🙂

Share blog

Share on facebook
Share on twitter
Share on linkedin
Share on email

Blog

This WiFi Ninjas Blog archive consists of all the blogs we have ever written!

Stay up to date with the WiFi Ninjas
Never miss a blog or podcast again!