Ethereal Wireless Filters
Posted by William
It's been a while since I've posted but here I am. I'm about to start on adding videos and posts on a monthly basis now.
I'll be focusing on Cisco network hijinks but just to restart the blog here I'll start with Ethereal wireless filters since
I've been using these lately. I could not find a reference manual or anything of that sort to point out what filters showed
what so I've made my own. If you deal with wireless on a daily basis the filters shown below are a lifesaver.
Now, 802.11 wireless uses three types of frames:
- Management - are used to control the joining and leaving of a BSS
- Control - acknowledge the reception of incoming data frames
- Data - contain upper-layer data
The corresponding display filter syntax for each type is as follows:
Management Frames
wlan.fc.type == 0
Control Frames
wlan.fc.type == 1
Data Frames
wlan.fc.type == 2
There are eleven types of management frames:
- Association request frame
- Association response frame
- Reassociation request frame
- Reassociation response frame
- Probe request frame
- Probe response frame
- Beacon frame
- ATIM frame
- Disassociation frame
- Authentication frame
- Deauthentication frame
I will only discuss the relevent frames and filters that correspond to them. By displaying only specific packets you can
analyze specific frame types for any errors or misconfigurations that you might have on your wireless network or harvest
information from a nearby wireless network for pentesting purposes of course ;-).
Association Request Frames
wlan.fc.type_subtype == 0
Association Response Frames
wlan.fc.type_subtype == 1
Probe Request Frames
wlan.fc.type_subtype == 4
Probe Response Frames
wlan.fc.type_subtype == 5
Beacon Frames
wlan.fc.type_subtype == 8
Here is a useful tip for this filter type it in but add an exclamation point at the beginning and it will filter out and exclude all beacons and leave you with the more useful frames.
!wlan.fc.type_subtype == 8Authentication Frames
wlan.fc.type_subtype == 11
Deauthentication Frames
wlan.fc.type_subtype == 12
I hope this helps as a good reference.
~Will