1 | initial version |

Have you tried this?

```
wlan.ta[0:1] & 02
```

2 | No.2 Revision |

Have you tried this?

~~wlan.ta[0:1] ~~(wlan.ta[0:1] & ~~02
~~02) and !(wlan.ta[0:1] & 01)

3 | No.3 Revision |

Have you tried this?

```
(wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01)
```

**EDIT**: @TheDancingBard asked for an explanation, so I've added some more details here. Since I don't know what is known already and what isn't, I've tried to explain every detail.

First off, I didn't bother to look at RFC7402 Section 2.1 as mentioned in Issue 17246 that @Chuckc mentioned; I just looked at the patterns of interest, namely:

```
XA:XX:XX:XX:XX:XX
XE:XX:XX:XX:XX:XX
X2:XX:XX:XX:XX:XX
X6:XX:XX:XX:XX:XX
```

`wlan.ta`

consists of 6 bytes, numbered 0 through 5. From the above data, it's clear that the only byte of interest is the 1st byte, so I used the ** Slice** Operator to isolate the 1st byte of that field as follows:

`wlan.ta[0:1]`

. But we're not interested in the entire byte, only the least-significant 2 bits of the byte, bits 1 and 0 (with bits number 7 through 0 from left-to-right), so I used the `2`

, `6`

, `A`

and `E`

, all values have bit 1 set to 1 and bit 0 set to 0, so I test each one in turn.This will return true for all bytes where bit 1 is set: `(wlan.ta[0:1] & 02)`

And this will return true for all bytes where bit 0 is not set: `!(wlan.ta[0:1] & 01)`

Since we require *both* conditions to be true, the expressions must be ** and**'d together, so we end up with the complete filter above, namely

`(wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01)`

.Now, if Wireshark supported the following construct, we could improve the filtering even more: `(wlan.ta[0] & 03) == 02`

. Unfortunately, this isn't supported ... yet? Perhaps an enhancement bug report could be filed for this.

An aside: How do we know we're looking for patterns where bit 1 is set and bit 0 is not set? Well, the easiest way is probably to draw a Karnaugh Map or "Truth Table". First, as a reminder, let's write all 16 possible values for a nibble in binary, with the 4 values of interest, 2, 6, A and E marked:

```
b3 b2 b1 b0
---------------------
0 0 0 0 0
1 0 0 0 1
2 0 0 1 0 *
3 0 0 1 1
4 0 1 0 0
5 0 1 0 1
6 0 1 1 0 *
7 0 1 1 1
8 1 0 0 0
9 1 0 0 1
A 1 0 1 0 *
B 1 0 1 1
C 1 1 0 0
D 1 1 0 1
E 1 1 1 0 *
F 1 1 1 1
---------------------
```

A naive approach to filtering would be to simply check all 4 bits of the nibble for each of the 4 possible values of interest. For example:

```
(!(wlan.ta[0:1] & 08) and !(wlan.ta[0:1] & 04) and (wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01)) or
(!(wlan.ta[0:1] & 08) and (wlan.ta[0:1] & 04) and (wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01)) or
((wlan.ta[0:1] & 08) and !(wlan.ta[0:1] & 04) and (wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01)) or
((wlan.ta[0:1] & 08) and (wlan.ta[0:1] & 04) and (wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01))
```

But, we can do better. The following Karnaugh Map represents all 4 bits (b3 b2 b1 b0) of the lower nibble of the first byte of the `wlan.ta`

field, and the values marked with `1`

represent those values of interest:

\ b1 b0 b3 b2 \ 00 01 11 10 --------------+----------------- 0 0 | 0 0 0 1 0 1 | 0 0 0 1 1 1 | 0 0 0 1 1 0 | 0 0 0 1 --------------+-----------------

From this table, it's clear that the right-most column is all `1`

's, so the only bits of concern to us are the lower 2 bits, and the requirement is therefore that bit 1 must be 1 and bit 0 must be 0, so we can group the entire column and the filter can be reduced to just `(wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01)`

, as I've shown.

For more details on Wireshark filtering and the various operators I used, refer to the wireshark-filter man page.

4 | No.4 Revision |

Have you tried this?

`(wlan.ta[0:1] & `~~02) ~~2) and !(wlan.ta[0:1] & ~~01)
~~1)

**EDIT**: @TheDancingBard asked for an explanation, so I've added some more details here. Since I don't know what is known already and what isn't, I've tried to explain every detail.

First off, I didn't bother to look at RFC7402 Section 2.1 as mentioned in Issue 17246 that @Chuckc mentioned; I just looked at the patterns of interest, namely:

```
XA:XX:XX:XX:XX:XX
XE:XX:XX:XX:XX:XX
X2:XX:XX:XX:XX:XX
X6:XX:XX:XX:XX:XX
```

`wlan.ta`

consists of 6 bytes, numbered 0 through 5. From the above data, it's clear that the only byte of interest is the 1st byte, so I used the ** Slice** Operator to isolate the 1st byte of that field as follows:

`wlan.ta[0:1]`

. But we're not interested in the entire byte, only the least-significant 2 bits of the byte, bits 1 and 0 (with bits number 7 through 0 from left-to-right), so I used the `2`

, `6`

, `A`

and `E`

, all values have bit 1 set to 1 and bit 0 set to 0, so I test each one in turn.This will return true for all bytes where bit 1 is set: `(wlan.ta[0:1] & `

~~02)~~2)

And this will return true for all bytes where bit 0 is not set: `!(wlan.ta[0:1] & `

~~01)~~1)

Since we require *both* conditions to be true, the expressions must be ** and**'d together, so we end up with the complete filter above, namely

`(wlan.ta[0:1] & `~~02) ~~2) and !(wlan.ta[0:1] & ~~01)~~1)

.Now, if Wireshark supported the following construct, we could improve the filtering even more: `(wlan.ta[0] & `

. Unfortunately, this isn't supported ... yet? Perhaps an enhancement bug report could be filed for this.~~03) ~~3) == ~~02~~2

An aside: How do we know we're looking for patterns where bit 1 is set and bit 0 is not set? Well, the easiest way is probably to draw a Karnaugh Map or "Truth Table". First, as a reminder, let's write all 16 possible values for a nibble in binary, with the 4 values of interest, 2, 6, A and E marked:

```
b3 b2 b1 b0
---------------------
0 0 0 0 0
1 0 0 0 1
2 0 0 1 0 *
3 0 0 1 1
4 0 1 0 0
5 0 1 0 1
6 0 1 1 0 *
7 0 1 1 1
8 1 0 0 0
9 1 0 0 1
A 1 0 1 0 *
B 1 0 1 1
C 1 1 0 0
D 1 1 0 1
E 1 1 1 0 *
F 1 1 1 1
---------------------
```

A naive approach to filtering would be to simply check all 4 bits of the nibble for each of the 4 possible values of interest. For example:

`(!(wlan.ta[0:1] & `~~08) ~~8) and !(wlan.ta[0:1] & ~~04) ~~4) and (wlan.ta[0:1] & ~~02) ~~2) and !(wlan.ta[0:1] & ~~01)) ~~1)) or
(!(wlan.ta[0:1] & ~~08) ~~8) and (wlan.ta[0:1] & ~~04) ~~4) and (wlan.ta[0:1] & ~~02) ~~2) and !(wlan.ta[0:1] & ~~01)) ~~1)) or
((wlan.ta[0:1] & ~~08) ~~8) and !(wlan.ta[0:1] & ~~04) ~~4) and (wlan.ta[0:1] & ~~02) ~~2) and !(wlan.ta[0:1] & ~~01)) ~~1)) or
((wlan.ta[0:1] & ~~08) ~~8) and (wlan.ta[0:1] & ~~04) ~~4) and (wlan.ta[0:1] & ~~02) ~~2) and !(wlan.ta[0:1] & ~~01))
~~1))

But, we can do better. The following Karnaugh Map represents all 4 bits (b3 b2 b1 b0) of the lower nibble of the first byte of the `wlan.ta`

field, and the values marked with `1`

represent those values of interest:

\ b1 b0 b3 b2 \ 00 01 11 10 --------------+----------------- 0 0 | 0 0 0 1 0 1 | 0 0 0 1 1 1 | 0 0 0 1 1 0 | 0 0 0 1 --------------+-----------------

From this table, it's clear that the right-most column is all `1`

's, so the only bits of concern to us are the lower 2 bits, and the requirement is therefore that bit 1 must be 1 and bit 0 must be 0, so we can group the entire column and the filter can be reduced to just `(wlan.ta[0:1] & `

, as I've shown.~~02) ~~2) and !(wlan.ta[0:1] & ~~01)~~1)

For more details on Wireshark filtering and the various operators I used, refer to the wireshark-filter man page.

Copyright Wireshark Foundation, 2017-2020 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.