# Wireshark Random MAC Address display filter

Hi guys, I'm new here, I'm having a hard time setting up a filter for Wireshark.

I have tried wlan.ta[0] matches "./2" but I can't get it to work. (My best attempts gave me values like 02:XX:XX:XX.XX:XX but not values like C2:XX:XX:XX:XX:XX

What I actually want is something that will give me _ANY_ MAC Address with the following characters in the first octet, in that specific position, which from my googling means its a private MAC address:

XA:XX:XX:XX:XX:XX XE:XX:XX:XX:XX:XX X2:XX:XX:XX:XX:XX X6:XX:XX:XX:XX:XX

X = any given hex value, doesn't matter I swear I searched but people are almost always into specific OUI codes which is far easier to filter

edit retag close merge delete

( 2021-03-02 21:31:24 +0000 )edit

Sort by » oldest newest most voted

Have you tried this?

(wlan.ta[0:1] & 2) and !(wlan.ta[0:1] & 1)


EDIT: @TheDancingBard asked for an explanation, so I've added some more details here. Since I don't know what is known already and what isn't, I've tried to explain every detail.

First off, I didn't bother to look at RFC7402 Section 2.1 as mentioned in Issue 17246 that @Chuckc mentioned; I just looked at the patterns of interest, namely:

XA:XX:XX:XX:XX:XX
XE:XX:XX:XX:XX:XX
X2:XX:XX:XX:XX:XX
X6:XX:XX:XX:XX:XX


wlan.ta consists of 6 bytes, numbered 0 through 5. From the above data, it's clear that the only byte of interest is the 1st byte, so I used the Slice Operator to isolate the 1st byte of that field as follows: wlan.ta[0:1]. But we're not interested in the entire byte, only the least-significant 2 bits of the byte, bits 1 and 0 (with bits number 7 through 0 from left-to-right), so I used the Bitwise And Operator to check each bit of interest. In the case of 2, 6, A and E, all values have bit 1 set to 1 and bit 0 set to 0, so I test each one in turn.

This will return true for all bytes where bit 1 is set: (wlan.ta[0:1] & 2)
And this will return true for all bytes where bit 0 is not set: !(wlan.ta[0:1] & 1)

Since we require both conditions to be true, the expressions must be and'd together, so we end up with the complete filter above, namely (wlan.ta[0:1] & 2) and !(wlan.ta[0:1] & 1).

Now, if Wireshark supported the following construct, we could improve the filtering even more: (wlan.ta[0] & 3) == 2. Unfortunately, this isn't supported ... yet? Perhaps an enhancement bug report could be filed for this.

An aside: How do we know we're looking for patterns where bit 1 is set and bit 0 is not set? Well, the easiest way is probably to draw a Karnaugh Map or "Truth Table". First, as a reminder, let's write all 16 possible values for a nibble in binary, with the 4 values of interest, 2, 6, A and E marked:

     b3    b2    b1    b0
---------------------
0    0     0     0     0
1    0     0     0     1
2    0     0     1     0    *
3    0     0     1     1
4    0     1     0     0
5    0     1     0     1
6    0     1     1     0    *
7    0     1     1     1
8    1     0     0     0
9    1     0     0     1
A    1     0     1     0    *
B    1     0     1     1
C    1     1     0     0
D    1     1     0     1
E    1     1     1     0    *
F    1     1     1     1
---------------------


A naive approach to filtering would be to simply check all 4 bits of the nibble ...

more

Thnaks for the reply, it sure gets me some results matching my criteria, not sure if it got 100% but it looks like it. Mind explaining? Thanks

( 2021-03-03 03:20:03 +0000 )edit