 | 1 | initial version |
Reviewing the capture filter syntax, I don't think there is anything to specifically get frames at this level of detail in an 802.11 capture.
One thing that might work is to use tshark and a display filter. If I choose the -Y option and try to capture and save at the same time, it fails:
$ tshark -i wlp7s0 -Y 'wlan.ext_tag.number == 35' -w test.pcapng
tshark: Display filters aren't supported when capturing and saving the captured packets.
This is a Linux host and an arbitrary example of looking for an IE (Information Element) - your display filter will be different based on the specifics of what you are looking for:
Ext Tag Number: HE Capabilities (35)
But tshark can read from a file, apply the display filter, and then save the result to a new file. So if I pipe:
$ tshark -i wlp7s0 -w - | tshark -r - -Y 'wlan.ext_tag.number == 35' -w test.pcapng
Capturing on 'wlp7s0'
11162
The output file is created and we have our poor-man's capture filter based on a display filter. For a realtime display in wireshark, pipe to Wireshark:
tshark -i wlp7s0 -w - -l | tshark -r - -Y 'wlan.ext_tag.number == 35' -w - -l | wireshark -k -i -
I still get buffering in the output to Wireshark even with the -l option for some reason that makes this less attractive of a solution but it may provide some ideas on how to get a more capable capture-like filter.