 | 1 | initial version |
(wlan[4:2]==0x026a && wlan[6]==0xe3) or (wlan[10:2]==0x026a && wlan[12]==0xe3)
There are four (4) bytes before the addresses start. Capture filter above matched 02:6a:e3
A slightly different syntax which might be easier to read in this old old question:
(wlan[4:4] & 0xffffff00 == 0x026ae300) or (wlan[10:4] & 0xffffff00 == 0x026ae300)
Based on the answers at the end of the question above, you might want to refine the filter based on the type of frame by looking at the first bytes of wlan.
The Packet Diagram below is a for a data frame - shows 4 bytes for Type/Subtype and Duration before addresses.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
