 | 1 | initial version |
For wireless capture filters, these page are useful to describe the different options available:
https://www.tcpdump.org/manpages/pcap-filter.7.html https://www.tcpdump.org/manpages/tcpdump.1.html http://wifinigel.blogspot.com/2018/04/wireshark-capture-filters-for-80211.html
Some examples from my notes:
Beacons for a specific bssid, last two octets of bssid only (wlan.bssid == 0c:d0:f8:95:3a:4d):
tcpdump -i wlan0 type mgt subtype beacon and wlan[20:2] == 0x3a4d
Beacons for a specific bssid, whole bssid:
tcpdump -i wlan0 type mgt subtype beacon and wlan[16:4] == 0x0cd0f895 and wlan[20:2] == 0x3a4d
Broadcast traffic, offset method:
tshark -i wlan0 type data and wlan[4:4] == 0xffffffff and wlan[8:2] == 0xffff
Dump all bytes to count offsets (includes radiotap header - to figure out needed offsets)
tcpdump -xx -i wlan0
802.11 Retry bit set
Capture: "type data and wlan[1] & 0x08 != 0"
Display: wlan.fc.type == 2 and wlan.fc.retry == 1
tshark -i wlan0 "type data and wlan[1] & 0x08 != 0"
There are other solutions too; for instance, probe responses and other frame types may have retries so you may not want to limit to type/data:
tshark -i wlan0 "wlan[1] & 0x08 != 0"