Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Capture filters work on raw packets; they're executed either in the kernel (on Linux, *BSD, macOS, Solaris 11, AIX, and Windows) or in libpcap (HP-UX, Solaris 10 and earlier) before they get to Wireshark and thus before any decryption is done.

This means they do not work on the payload of 802.11 packets on a protected network; you can only filter on 802.11 MAC header fields.