Wireshark-users: Re: [Wireshark-users] Capture filters for wlan
From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Sat, 3 Jul 2010 13:56:00 +0200
Hi Guy, Hi G,

I've been looking at the offsets and I've figured this out:
ra  b0:14:1e:30:74:a8
ta  00:16:b6:bc:d6:7b
da  00:16:b6:bc:d6:7b

ra capture filter
wlan[4:4]==0xb0141e30

wlan[4:4*]
* 4 seems to be the max

ta
wlan[10:4]==0x0016b6bc

da
wlan[16:4]==0x0016b6bc

wlan[4:4]==0xb0141e30 or wlan[10:4]==0x0016b6bc
wlan[4:4]==0xb0141e30 and wlan[10:4]==0x0016b6bc

My best
Joke

On Fri, 2 Jul 2010 13:43:44 -0700 Guy Harris wrote:
>On Jul 2, 2010, at 1:34 PM, G Capps wrote:
>
>>>> Unfortunately, there aren't libpcap capture filters for the TA and RA.
>>>> Time for me to dive into libpcap's grammar.y/gencode.c again, to add
>TA and RA filters....
>> 
>> I was afraid there might not be any.  But are you suggesting that they
>> may be available in a future revision?
>
>I'm saying that libpcap should probably be enhanced to support more filters
>for 802.11 MAC addresses; if somebody implements them in a future libpcap
>release, they'll be available in future versions of {at least some Linux
>distributions, *BSDs that bother to pick up that version of libpcap, Mac
>OS X if it picks up that version of libpcap, WinPcap, etc.}.
>
>On UN*X, libpcap isn't part of Wireshark, so a future Wireshark revision
>won't make a difference; you'd have to install an updated version of libpcap
>yourseflf.  On Windows, Wireshark is packaged with WinPcap, so if a future
>WinPcap is based on a future libpcap with those additional filters, some
>future Wireshark release would probably be packaged with that future WinPcap
>(and you might be able to install it on your system yourself.
>
>I wouldn't expect it to happen soon, however; libpcap, like Wireshark, is
>free software, so it's up to somebody who has enough Copious Free Time(TM)
>to work on it.