Ask Your Question
0

Another filter question

asked 2019-01-25 18:42:05 +0000

SteveT gravatar image

As a retired IT/Network tech i've forgotten how to use most of these tools. I have an iPad that keeps losing wifi connection, or that is what my wife says. the other 12 wireless device have no issue. How can I set up either a monitor filter or display filter to just see traffic between the iPad and router? all internal addresses with the iPad at 192.168.1.26 and the router the usual 192.168.1.1 Is this even possible? when I follow other help comments the filter field remains red. I don't want to spend a large amount of time relearning at my age. Willing to educate a bit for the ROI of time.

Thanks and appreciate any replies

edit retag flag offensive close merge delete

Comments

Thanks everyone for the replies. Really appreciate it. Guess I will need to read up. Never dealt with wireless beyond hardware and a few tweaks. I have 2 PC's hard wired. Been thinking about a wireless card in one. will look at cards that can be put in monitor mode. I can't say thanks enough.

SteveT gravatar imageSteveT ( 2019-01-26 15:13:40 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-01-25 19:37:31 +0000

cmaynard gravatar image

The filter is the easy part; the capture setup is the harder part.

A Wireshark capture filter uses pcap-filter syntax, so you could specify a capture filter something like, host 192.168.1.26 and host 192.168.1.1. Such a capture filter would only capture traffic between these 2 host endpoints.

If instead you want to capture more than just the traffic between those 2 endpoints and filter traffic later using a Wireshark display filter, then you could post-apply one using the Wireshark display filter syntax. An example of a display filter to only display traffic between the aforementioned 2 endpoints is, ip.addr eq 192.168.1.26 and ip.addr eq 192.168.1.1.

As I mentioned above though, the capture setup part is probably going to be the harder problem for you to solve, because you need to be able to capture the wireless traffic between the iPad and router, and for that, you'll need a device with a wireless card capable of being placed into monitor mode so the relevant wireless traffic can be captured. Perhaps a good place to get started with that is by visiting the WLAN (IEEE 802.11) capture setup wiki page.

edit flag offensive delete link more

Comments

("You" here refers to the person who asked the question.)

Note also that, if this network is a "protected" Wi-Fi network (using WEP, WPA, or WPA2), and you're capturing in monitor mode, you will see encrypted payloads (everything after the 802.11 layer), so you'll need to set up decryption of the traffic on the network.

Furthermore, as the decryption occurs inside Wireshark, not inside the OS kernel or inside libpcap, capture filters on fields in the IP header won't work on a "protected" network, as the filtering is done in the OS kernel (or, on some OSes, inside the libpcap library, but you're almost certainly not using one of those OSes). You could, however, capture with a capture filter using the MAC addresses of, for example, the iPad and the access point for your network (which is probably the "router" to which you're referring).

Guy Harris gravatar imageGuy Harris ( 2019-01-25 22:43:46 +0000 )edit

He might have to capture filter like that anyway, since "losing the wifi connection" suggests to me a problem at the MAC layer, not on the IP layer.

Jaap gravatar imageJaap ( 2019-01-26 08:18:44 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-01-25 18:42:05 +0000

Seen: 588 times

Last updated: Jan 25 '19