Wireshark Display Filters

Wireshark has two filtering languages: One used when capturing packets, and one used when displaying packets. These display filters are already been shared by clear to send . It was shared as image file so I decided add different filters together and type here so people can just copy paste the filters instead having to type again themselves.

Wireshark Display Filters related management traffic:

wireshark display filters:

management frames wlan.fc.type == 0 all management frames

 

wlan.fc.type_subtype == 0 association requests
wlan.fc.type_subtype == 1 association response
wlan.fc.type_subtype == 2 re-association request
wlan.fc.type_subtype == 3 re-association response
wlan.fc.type_subtype == 4 probe requests
wlan.fc.type_subtype == 5 probe responses
wlan.fc.type_subtype == 8 beacons
wlan.fc.type_subtype == 9 atims
wlan.fc.type_subtype == 10 disassosiations
wlan.fc.type_subtype == 11 authentications
wlan.fc.type_subtype == 12 deauthentications
wlan.fc.type_subtype == 13 actions

Wireshark Display Filters related Control frames traffic:

control frames wlan.fc.type == 1 all control frames
wlan.fc.type_subtype == 24 block ack requests
wlan.fc.type_subtype == 25 block ack
wlan.fc.type_subtype == 26 ps-polls
wlan.fc.type_subtype == 27 rts
wlan.fc.type_subtype == 28 cts
wlan.fc.type_subtype == 29 acks
wlan.fc.type_subtype == 30 cf-ends
wlan.fc.type_subtype == 31 cf-ends/cf-acks

Wireshark Display Filters related Data frames traffic:

data frames wlan.fc.type == 2 all data frames
wlan.fc.type_subtype == 32 data frames
wlan.fc.type_subtype == 33 data+cf-ack
wlan.fc.type_subtype == 34 data+cf-poll
wlan.fc.type_subtype == 35 data+cf-ack + cf-ack
wlan.fc.type_subtype == 36 null data
wlan.fc.type_subtype == 37 cf-ack
wlan.fc.type_subtype == 38 cf-poll
wlan.fc.type_subtype == 39 cf-ack + cf-poll
wlan.fc.type_subtype == 40 qos data
wlan.fc.type_subtype == 41 qos data + cf-ack
wlan.fc.type_subtype == 42 qos data + cf-poll
wlan.fc.type_subtype == 43 qos data + cf-ack+ cf-poll
wlan.fc.type_subtype == 44 qos null
wlan.fc.type_subtype == 46 qos cf-poll
wlan.fc.type_subtype == 47 qos cf-ack + cf-poll

Wireshark Display Filters related Retries:

retry wlan.fc.retry ==1 retry frames
wlan.fc.retry ==1 && wlan.fc.tods ==1 towards ap
wlan.fc.retry ==1 && wlan.fc.fromds ==1 from ap towards client device

Wireshark Display Filters related 802.11 k,v,r traffic:

802.11 k,v,r
wlan.fixed.action_code ==23 802.11v dms request
wlan.fixed.action_code ==24 802.11v dms respose
wlan.rm.action_code ==4 802.11k neighbour request
wlan.rm.action_code ==5 802.11k neighbour response
(wlan.fc.type_subtype==0)&&(wlan.rsn.akms.type==3) 802.11r auth request
(wlan.fc.type_subtype==1)&&(wlan.tag.number==55) 802.11r auth response
(wlan.fc.type_subtype==2)&&(wlan.tag.number==55) 802.11r re-association request
(wlan.fc.type_subtype==3)&&(wlan.tag.number==55) 802.11r re-association response

Wireshark Display Filters related Weak signals:

wlan_radio.signal_dbm < -67 weak signal filter
wlan.fc.type_subtype == 0x05 && wlan_radio.signal_dbm < -75 weak prob response
wlan.fc.type_subtype == 0x04 && wlan_radio.signal_dbm < -75 weak prob requests

Some Extras:

wlan.addr == mac address specific client by mac address
wlan.ta == mac address transmitter address
wlan.ra == mac address receive address
wlan.sa == mac address source address
wlan.da == mac address destination address
wlan.bssid == ap mac address radio mac address
wlan.mgt.ssid == “your-ssid” filter by ssid

There are some great Wireless traffic filters on wireshark website as well as on WiFi Ninjas Blog Wireshark filters.

Leave a Reply

Your email address will not be published.