First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Another filter question

  • retag add tags

As a retired IT/Network tech i've forgotten how to use most of these tools. I have an iPad that keeps losing wifi connection, or that is what my wife says. the other 12 wireless device have no issue. How can I set up either a monitor filter or display filter to just see traffic between the iPad and router? all internal addresses with the iPad at 192.168.1.26 and the router the usual 192.168.1.1 Is this even possible? when I follow other help comments the filter field remains red. I don't want to spend a large amount of time relearning at my age. Willing to educate a bit for the ROI of time.

Thanks and appreciate any replies

SteveT's avatar
1
SteveT
asked 2019-01-25 18:42:05 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Thanks everyone for the replies. Really appreciate it. Guess I will need to read up. Never dealt with wireless beyond hardware and a few tweaks. I have 2 PC's hard wired. Been thinking about a wireless card in one. will look at cards that can be put in monitor mode. I can't say thanks enough.

SteveT's avatar SteveT (2019-01-26 15:13:40 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

The filter is the easy part; the capture setup is the harder part.

A Wireshark capture filter uses pcap-filter syntax, so you could specify a capture filter something like, host 192.168.1.26 and host 192.168.1.1. Such a capture filter would only capture traffic between these 2 host endpoints.

If instead you want to capture more than just the traffic between those 2 endpoints and filter traffic later using a Wireshark display filter, then you could post-apply one using the Wireshark display filter syntax. An example of a display filter to only display traffic between the aforementioned 2 endpoints is, ip.addr eq 192.168.1.26 and ip.addr eq 192.168.1.1.

As I mentioned above though, the capture setup part is probably going to be the harder problem for you to solve, because you need to be able to capture the wireless traffic between the iPad and router, and for that, you'll need a device with a wireless card capable of being placed into monitor mode so the relevant wireless traffic can be captured. Perhaps a good place to get started with that is by visiting the WLAN (IEEE 802.11) capture setup wiki page.

cmaynard's avatar
11.1k
cmaynard
answered 2019-01-25 19:37:31 +0000
edit flag offensive 0 remove flag delete link
more

Comments

("You" here refers to the person who asked the question.)

Note also that, if this network is a "protected" Wi-Fi network (using WEP, WPA, or WPA2), and you're capturing in monitor mode, you will see encrypted payloads (everything after the 802.11 layer), so you'll need to set up decryption of the traffic on the network.

Furthermore, as the decryption occurs inside Wireshark, not inside the OS kernel or inside libpcap, capture filters on fields in the IP header won't work on a "protected" network, as the filtering is done in the OS kernel (or, on some OSes, inside the libpcap library, but you're almost certainly not using one of those OSes). You could, however, capture with a capture filter using the MAC addresses of, for example, the iPad and the access point for your network (which is probably the "router" to which you're referring).

Guy Harris's avatar Guy Harris (2019-01-25 22:43:46 +0000) edit
more
  • delete

He might have to capture filter like that anyway, since "losing the wifi connection" suggests to me a problem at the MAC layer, not on the IP layer.

Jaap's avatar Jaap (2019-01-26 08:18:44 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer