Ask Your Question
0

Is there any capture filter available to capture only beacons and action frames that contain Channel Switch Announcement frames in them?

asked 2024-04-18 17:44:05 +0000

Jyothsna gravatar image

updated 2024-04-18 17:57:02 +0000

Guy Harris gravatar image

I am currently facing a significant requirement in my work to extract "Channel Switch Announcement (CSA)" tags present in both beacon and action frames during live captures using capture filters. Despite my efforts, I have been unable to locate a capture filter specifically designed to filter Channel Switch Announcement frames.

Can anyone assist me in this matter. Thanks in advance.

edit retag flag offensive close merge delete

Comments

Hello Bob Jones. Greetings for the day.Yes I too tried using "tag.number == 35" but it didn't worked for me. Thanks for sharing your insights.

Jyothsna gravatar imageJyothsna ( 2024-04-26 04:35:52 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-04-22 10:29:50 +0000

Bob Jones gravatar image

Reviewing the capture filter syntax, I don't think there is anything to specifically get frames at this level of detail in an 802.11 capture.

One thing that might work is to use tshark and a display filter. If I choose the -Y option and try to capture and save at the same time, it fails:

$ tshark -i wlp7s0 -Y 'wlan.ext_tag.number == 35' -w test.pcapng
tshark: Display filters aren't supported when capturing and saving the captured packets.

This is a Linux host and an arbitrary example of looking for an IE (Information Element) - your display filter will be different based on the specifics of what you are looking for:

Ext Tag Number: HE Capabilities (35)

But tshark can read from a file, apply the display filter, and then save the result to a new file. So if I pipe:

$ tshark -i wlp7s0 -w - | tshark -r - -Y 'wlan.ext_tag.number == 35' -w test.pcapng
Capturing on 'wlp7s0'
11162

The output file is created and we have our poor-man's capture filter based on a display filter. For a realtime display in wireshark, pipe to Wireshark:

tshark -i wlp7s0 -w - -l | tshark -r - -Y 'wlan.ext_tag.number == 35' -w - -l | wireshark -k -i -

I still get buffering in the output to Wireshark even with the -l option for some reason that makes this less attractive of a solution but it may provide some ideas on how to get a more capable capture-like filter.

edit flag offensive delete link more

Comments

8534: 802.11: doesn't parse extended channel switch announcement frames correctly
Pretty sure my home network would be boring so didn't pursue trying to get a more robust pcap file.

pcap-filter.7

To access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of arp, atalk, carp, decnet, ether, fddi, icmp, icmp6, igmp, igrp, ip, ip6, lat, link, mopdl, moprc, pim, ppp, radio, rarp, sca, sctp, slip, tcp, tr, udp, vrrp or wlan, and indicates the protocol layer for the index operation.

Does this size of the flags section vary? Could you filter on the bytes in "type/subtype" and "Action code".
Would have to do the same for Beacons.

Chuckc gravatar imageChuckc ( 2024-04-22 16:33:02 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-04-18 17:44:05 +0000

Seen: 542 times

Last updated: Apr 22