Ask Your Question

WLAN Capture Filter on OUI

asked 2021-07-12 20:51:07 +0000

clutch2sft gravatar image

updated 2021-07-12 22:40:21 +0000

Been playing for hours now so coming to the experts! I am pretty sure this is really a PCAP question but I can't figure out where to ask that either. Not so smart am i. At any rate been trying to set up a capture filter to gather everything to/from a particular OUI on wifi. The setup - mediatek wifi adapters on linux in monitor mode. Working great.

Using slicing I can do anything i want with wlan [0] == 0xnn and get the expected results. However, using any other byte, IE: wlan[1] == 0xnn for instance results in a null capture. Even though I am using nn that I know is byte two of the station. Of course, the more complicated forms don't work either such as wlan [0:2] ==0xnnnn and such.

Wish I had added. Tried with 3.2.15rc0 and v3.4.7rc0-42-ge479ced643a7 compiled natively on RPI also loaded 1.8.1 and 1.10.0 libpcap. Kernel is 5.10.17-v71+

edit retag flag offensive close merge delete


Are you looking for a capture filter (pcap-filter) or a display filter (wireshark-filter) ?

Chuckc gravatar imageChuckc ( 2021-07-12 22:26:47 +0000 )edit

capture filter for sure. need to reduce the clutter on the capture side.

clutch2sft gravatar imageclutch2sft ( 2021-07-12 22:35:18 +0000 )edit

wlan [0] == 0xnn is syntax for a Wireshark display filter.
Check the pcap-filter man page for capture filter syntax.
See this previous question for wlan capture filter examples.

Chuckc gravatar imageChuckc ( 2021-07-12 22:44:13 +0000 )edit

Thank you for your answer. I have read the man page many times ... because I miss stuff all the time. It is not helping me to achieve my goal. The syntax I and you reference are shown in various places as pcap syntax. The man page says: Similarly, tr and wlan are aliases for ether;

This shows a valid way to do what I want to do and it works on ethernet link to valid way

Copied here for ease of access. 'ether[0:2] == 0x1122 && ether[2:1] == 0x33 \ || ether[6:2] == 0x1122 && ether[8:1] == 0x33'

So My guess is wlan alias slicing doesn't work correctly? Because I have followed it directly as the man page states.

clutch2sft gravatar imageclutch2sft ( 2021-07-12 22:53:57 +0000 )edit

(wlan[4:2]==0x026a && wlan[6]==0xe3) or (wlan[10:2]==0x026a && wlan[12]==0xe3)

There are four (4) bytes before the addresses start. Capture filter above matched 02:6a:e3

Chuckc gravatar imageChuckc ( 2021-07-12 23:44:29 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2021-07-13 00:22:25 +0000

Chuckc gravatar image
(wlan[4:2]==0x026a && wlan[6]==0xe3) or (wlan[10:2]==0x026a && wlan[12]==0xe3)

There are four (4) bytes before the addresses start. Capture filter above matched 02:6a:e3

A slightly different syntax which might be easier to read in this old old question:

(wlan[4:4] & 0xffffff00 == 0x026ae300) or (wlan[10:4] & 0xffffff00 == 0x026ae300)

Based on the answers at the end of the question above, you might want to refine the filter based on the type of frame by looking at the first bytes of wlan.

The Packet Diagram below is a for a data frame - shows 4 bytes for Type/Subtype and Duration before addresses.

image description

edit flag offensive delete link more


That is what I was missing. Those four bytes caused me lots of pain. Thank you again.

clutch2sft gravatar imageclutch2sft ( 2021-07-13 00:26:22 +0000 )edit

And BTW the reference to the old post above was SUPER helpful in understanding this thing better. I promise you none of my searches turned up that post. But I have added all this to my notebook for future reference.

clutch2sft gravatar imageclutch2sft ( 2021-07-13 10:49:25 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2021-07-12 20:51:07 +0000

Seen: 65 times

Last updated: Jul 13