Revision history - Ask Wireshark

1

initial version

answered 2021-03-02 22:42:58 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

Have you tried this?

wlan.ta[0:1] & 02

Have you tried this?

wlan.ta[0:1] (wlan.ta[0:1] & 02
02) and !(wlan.ta[0:1] & 01)

Have you tried this?

(wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01)

EDIT: @TheDancingBard asked for an explanation, so I've added some more details here. Since I don't know what is known already and what isn't, I've tried to explain every detail.

First off, I didn't bother to look at RFC7402 Section 2.1 as mentioned in Issue 17246 that @Chuckc mentioned; I just looked at the patterns of interest, namely:

XA:XX:XX:XX:XX:XX
XE:XX:XX:XX:XX:XX
X2:XX:XX:XX:XX:XX
X6:XX:XX:XX:XX:XX

wlan.ta consists of 6 bytes, numbered 0 through 5. From the above data, it's clear that the only byte of interest is the 1st byte, so I used the Slice Operator to isolate the 1st byte of that field as follows: wlan.ta[0:1]. But we're not interested in the entire byte, only the least-significant 2 bits of the byte, bits 1 and 0 (with bits number 7 through 0 from left-to-right), so I used the Bitwise And Operator to check each bit of interest. In the case of 2, 6, A and E, all values have bit 1 set to 1 and bit 0 set to 0, so I test each one in turn.

This will return true for all bytes where bit 1 is set: (wlan.ta[0:1] & 02)
And this will return true for all bytes where bit 0 is not set: !(wlan.ta[0:1] & 01)

Since we require both conditions to be true, the expressions must be and'd together, so we end up with the complete filter above, namely (wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01).

Now, if Wireshark supported the following construct, we could improve the filtering even more: (wlan.ta[0] & 03) == 02. Unfortunately, this isn't supported ... yet? Perhaps an enhancement bug report could be filed for this.

An aside: How do we know we're looking for patterns where bit 1 is set and bit 0 is not set? Well, the easiest way is probably to draw a Karnaugh Map or "Truth Table". First, as a reminder, let's write all 16 possible values for a nibble in binary, with the 4 values of interest, 2, 6, A and E marked:

     b3    b2    b1    b0
     ---------------------
0    0     0     0     0
1    0     0     0     1
2    0     0     1     0    *
3    0     0     1     1
4    0     1     0     0
5    0     1     0     1
6    0     1     1     0    *
7    0     1     1     1
8    1     0     0     0
9    1     0     0     1
A    1     0     1     0    *
B    1     0     1     1
C    1     1     0     0
D    1     1     0     1
E    1     1     1     0    *
F    1     1     1     1
     ---------------------

A naive approach to filtering would be to simply check all 4 bits of the nibble for each of the 4 possible values of interest. For example:

(!(wlan.ta[0:1] & 08) and !(wlan.ta[0:1] & 04) and (wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01)) or
(!(wlan.ta[0:1] & 08) and (wlan.ta[0:1] & 04) and (wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01)) or
((wlan.ta[0:1] & 08) and !(wlan.ta[0:1] & 04) and (wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01)) or
((wlan.ta[0:1] & 08) and (wlan.ta[0:1] & 04) and (wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01))

But, we can do better. The following Karnaugh Map represents all 4 bits (b3 b2 b1 b0) of the lower nibble of the first byte of the wlan.ta field, and the values marked with 1 represent those values of interest:

           \ b1 b0    
    b3 b2   \       00  01  11  10
    --------------+-----------------
     0   0        |  0   0   0   1
     0   1        |  0   0   0   1
     1   1        |  0   0   0   1
     1   0        |  0   0   0   1
    --------------+-----------------

From this table, it's clear that the right-most column is all 1's, so the only bits of concern to us are the lower 2 bits, and the requirement is therefore that bit 1 must be 1 and bit 0 must be 0, so we can group the entire column and the filter can be reduced to just (wlan.ta[0:1] & 02) and !(wlan.ta[0:1] & 01), as I've shown.

For more details on Wireshark filtering and the various operators I used, refer to the wireshark-filter man page.

Have you tried this?

(wlan.ta[0:1] & 02) 2) and !(wlan.ta[0:1] & 01)
1)

EDIT: @TheDancingBard asked for an explanation, so I've added some more details here. Since I don't know what is known already and what isn't, I've tried to explain every detail.

First off, I didn't bother to look at RFC7402 Section 2.1 as mentioned in Issue 17246 that @Chuckc mentioned; I just looked at the patterns of interest, namely:

XA:XX:XX:XX:XX:XX
XE:XX:XX:XX:XX:XX
X2:XX:XX:XX:XX:XX
X6:XX:XX:XX:XX:XX

wlan.ta consists of 6 bytes, numbered 0 through 5. From the above data, it's clear that the only byte of interest is the 1st byte, so I used the Slice Operator to isolate the 1st byte of that field as follows: wlan.ta[0:1]. But we're not interested in the entire byte, only the least-significant 2 bits of the byte, bits 1 and 0 (with bits number 7 through 0 from left-to-right), so I used the Bitwise And Operator to check each bit of interest. In the case of 2, 6, A and E, all values have bit 1 set to 1 and bit 0 set to 0, so I test each one in turn.

This will return true for all bytes where bit 1 is set: (wlan.ta[0:1] & 02)2)
And this will return true for all bytes where bit 0 is not set: !(wlan.ta[0:1] & 01)1)

Since we require both conditions to be true, the expressions must be and'd together, so we end up with the complete filter above, namely (wlan.ta[0:1] & 02) 2) and !(wlan.ta[0:1] & 01)1).

Now, if Wireshark supported the following construct, we could improve the filtering even more: (wlan.ta[0] & 03) 3) == 022. Unfortunately, this isn't supported ... yet? Perhaps an enhancement bug report could be filed for this.

An aside: How do we know we're looking for patterns where bit 1 is set and bit 0 is not set? Well, the easiest way is probably to draw a Karnaugh Map or "Truth Table". First, as a reminder, let's write all 16 possible values for a nibble in binary, with the 4 values of interest, 2, 6, A and E marked:

     b3    b2    b1    b0
     ---------------------
0    0     0     0     0
1    0     0     0     1
2    0     0     1     0    *
3    0     0     1     1
4    0     1     0     0
5    0     1     0     1
6    0     1     1     0    *
7    0     1     1     1
8    1     0     0     0
9    1     0     0     1
A    1     0     1     0    *
B    1     0     1     1
C    1     1     0     0
D    1     1     0     1
E    1     1     1     0    *
F    1     1     1     1
     ---------------------

A naive approach to filtering would be to simply check all 4 bits of the nibble for each of the 4 possible values of interest. For example:

(!(wlan.ta[0:1] & 08) 8) and !(wlan.ta[0:1] & 04) 4) and (wlan.ta[0:1] & 02) 2) and !(wlan.ta[0:1] & 01)) 1)) or
(!(wlan.ta[0:1] & 08) 8) and (wlan.ta[0:1] & 04) 4) and (wlan.ta[0:1] & 02) 2) and !(wlan.ta[0:1] & 01)) 1)) or
((wlan.ta[0:1] & 08) 8) and !(wlan.ta[0:1] & 04) 4) and (wlan.ta[0:1] & 02) 2) and !(wlan.ta[0:1] & 01)) 1)) or
((wlan.ta[0:1] & 08) 8) and (wlan.ta[0:1] & 04) 4) and (wlan.ta[0:1] & 02) 2) and !(wlan.ta[0:1] & 01))
1))

But, we can do better. The following Karnaugh Map represents all 4 bits (b3 b2 b1 b0) of the lower nibble of the first byte of the wlan.ta field, and the values marked with 1 represent those values of interest:

           \ b1 b0    
    b3 b2   \       00  01  11  10
    --------------+-----------------
     0   0        |  0   0   0   1
     0   1        |  0   0   0   1
     1   1        |  0   0   0   1
     1   0        |  0   0   0   1
    --------------+-----------------

From this table, it's clear that the right-most column is all 1's, so the only bits of concern to us are the lower 2 bits, and the requirement is therefore that bit 1 must be 1 and bit 0 must be 0, so we can group the entire column and the filter can be reduced to just (wlan.ta[0:1] & 02) 2) and !(wlan.ta[0:1] & 01)1), as I've shown.

For more details on Wireshark filtering and the various operators I used, refer to the wireshark-filter man page.

Revision history [back]