WLAN Capture Filter on OUI

retag add tags

Been playing for hours now so coming to the experts! I am pretty sure this is really a PCAP question but I can't figure out where to ask that either. Not so smart am i. At any rate been trying to set up a capture filter to gather everything to/from a particular OUI on wifi. The setup - mediatek wifi adapters on linux in monitor mode. Working great.

Using slicing I can do anything i want with wlan [0] == 0xnn and get the expected results. However, using any other byte, IE: wlan[1] == 0xnn for instance results in a null capture. Even though I am using nn that I know is byte two of the station. Of course, the more complicated forms don't work either such as wlan [0:2] ==0xnnnn and such.

Wish I had added. Tried with 3.2.15rc0 and v3.4.7rc0-42-ge479ced643a7 compiled natively on RPI also loaded 1.8.1 and 1.10.0 libpcap. Kernel is 5.10.17-v71+

clutch2sft

asked 2021-07-12 20:51:07 +0000, updated 2021-07-12 22:40:21 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Are you looking for a capture filter (pcap-filter) or a display filter (wireshark-filter) ?

Chuckc (2021-07-12 22:26:47 +0000) edit

capture filter for sure. need to reduce the clutter on the capture side.

clutch2sft (2021-07-12 22:35:18 +0000) edit

wlan [0] == 0xnn is syntax for a Wireshark display filter.
Check the pcap-filter man page for capture filter syntax.
See this previous question for wlan capture filter examples.

Chuckc (2021-07-12 22:44:13 +0000) edit

Thank you for your answer. I have read the man page many times ... because I miss stuff all the time. It is not helping me to achieve my goal. The syntax I and you reference are shown in various places as pcap syntax. The man page says: Similarly, tr and wlan are aliases for ether;

This shows a valid way to do what I want to do and it works on ethernet link to valid way

Copied here for ease of access. 'ether[0:2] == 0x1122 && ether[2:1] == 0x33 \ || ether[6:2] == 0x1122 && ether[8:1] == 0x33'

So My guess is wlan alias slicing doesn't work correctly? Because I have followed it directly as the man page states.

clutch2sft (2021-07-12 22:53:57 +0000) edit

(wlan[4:2]==0x026a && wlan[6]==0xe3) or (wlan[10:2]==0x026a && wlan[12]==0xe3)

There are four (4) bytes before the addresses start. Capture filter above matched 02:6a:e3

Chuckc (2021-07-12 23:44:29 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

(wlan[4:2]==0x026a && wlan[6]==0xe3) or (wlan[10:2]==0x026a && wlan[12]==0xe3)

There are four (4) bytes before the addresses start. Capture filter above matched 02:6a:e3

A slightly different syntax which might be easier to read in this old old question:

(wlan[4:4] & 0xffffff00 == 0x026ae300) or (wlan[10:4] & 0xffffff00 == 0x026ae300)

Based on the answers at the end of the question above, you might want to refine the filter based on the type of frame by looking at the first bytes of wlan.

The Packet Diagram below is a for a data frame - shows 4 bytes for Type/Subtype and Duration before addresses.

image description

Chuckc

answered 2021-07-13 00:22:25 +0000

edit flag offensive 0 remove flag delete link

Comments

That is what I was missing. Those four bytes caused me lots of pain. Thank you again.

clutch2sft (2021-07-13 00:26:22 +0000) edit

And BTW the reference to the old post above was SUPER helpful in understanding this thing better. I promise you none of my searches turned up that post. But I have added all this to my notebook for future reference.

clutch2sft (2021-07-13 10:49:25 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

WLAN Capture Filter on OUI edit

Comments

1 Answer

Comments