Ask Your Question
0

Wireshark Random MAC Address display filter

asked 2021-03-02 20:44:06 +0000

Hi guys, I'm new here, I'm having a hard time setting up a filter for Wireshark.

I have tried wlan.ta[0] matches "./2" but I can't get it to work. (My best attempts gave me values like 02:XX:XX:XX.XX:XX but not values like C2:XX:XX:XX:XX:XX

What I actually want is something that will give me _ANY_ MAC Address with the following characters in the first octet, in that specific position, which from my googling means its a private MAC address:

XA:XX:XX:XX:XX:XX XE:XX:XX:XX:XX:XX X2:XX:XX:XX:XX:XX X6:XX:XX:XX:XX:XX

X = any given hex value, doesn't matter I swear I searched but people are almost always into specific OUI codes which is far easier to filter

edit retag flag offensive close merge delete

Comments

Chuckc gravatar imageChuckc ( 2021-03-02 21:31:24 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2021-03-02 22:42:58 +0000

cmaynard gravatar image

updated 2021-03-04 14:27:27 +0000

Have you tried this?

(wlan.ta[0:1] & 2) and !(wlan.ta[0:1] & 1)

EDIT: @TheDancingBard asked for an explanation, so I've added some more details here. Since I don't know what is known already and what isn't, I've tried to explain every detail.

First off, I didn't bother to look at RFC7402 Section 2.1 as mentioned in Issue 17246 that @Chuckc mentioned; I just looked at the patterns of interest, namely:

XA:XX:XX:XX:XX:XX
XE:XX:XX:XX:XX:XX
X2:XX:XX:XX:XX:XX
X6:XX:XX:XX:XX:XX

wlan.ta consists of 6 bytes, numbered 0 through 5. From the above data, it's clear that the only byte of interest is the 1st byte, so I used the Slice Operator to isolate the 1st byte of that field as follows: wlan.ta[0:1]. But we're not interested in the entire byte, only the least-significant 2 bits of the byte, bits 1 and 0 (with bits number 7 through 0 from left-to-right), so I used the Bitwise And Operator to check each bit of interest. In the case of 2, 6, A and E, all values have bit 1 set to 1 and bit 0 set to 0, so I test each one in turn.

This will return true for all bytes where bit 1 is set: (wlan.ta[0:1] & 2)
And this will return true for all bytes where bit 0 is not set: !(wlan.ta[0:1] & 1)

Since we require both conditions to be true, the expressions must be and'd together, so we end up with the complete filter above, namely (wlan.ta[0:1] & 2) and !(wlan.ta[0:1] & 1).

Now, if Wireshark supported the following construct, we could improve the filtering even more: (wlan.ta[0] & 3) == 2. Unfortunately, this isn't supported ... yet? Perhaps an enhancement bug report could be filed for this.


An aside: How do we know we're looking for patterns where bit 1 is set and bit 0 is not set? Well, the easiest way is probably to draw a Karnaugh Map or "Truth Table". First, as a reminder, let's write all 16 possible values for a nibble in binary, with the 4 values of interest, 2, 6, A and E marked:

     b3    b2    b1    b0
     ---------------------
0    0     0     0     0
1    0     0     0     1
2    0     0     1     0    *
3    0     0     1     1
4    0     1     0     0
5    0     1     0     1
6    0     1     1     0    *
7    0     1     1     1
8    1     0     0     0
9    1     0     0     1
A    1     0     1     0    *
B    1     0     1     1
C    1     1     0     0
D    1     1     0     1
E    1     1     1     0    *
F    1     1     1     1
     ---------------------

A naive approach to filtering would be to simply check all 4 bits of the nibble ... (more)

edit flag offensive delete link more

Comments

Thnaks for the reply, it sure gets me some results matching my criteria, not sure if it got 100% but it looks like it. Mind explaining? Thanks

TheDancingBard gravatar imageTheDancingBard ( 2021-03-03 03:20:03 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-03-02 20:44:06 +0000

Seen: 134 times

Last updated: Mar 04