Wireshark has two filtering languages: One used when capturing packets, and one used when displaying packets. These display filters are already been shared by clear to send . It was shared as image file so I decided add different filters together and type here so people can just copy paste the filters instead having to type again themselves.
Wireshark Display Filters related management traffic:
wireshark display filters:
management frames | wlan.fc.type == 0 | all management frames
|
wlan.fc.type_subtype == 0 | association requests | |
wlan.fc.type_subtype == 1 | association response | |
wlan.fc.type_subtype == 2 | re-association request | |
wlan.fc.type_subtype == 3 | re-association response | |
wlan.fc.type_subtype == 4 | probe requests | |
wlan.fc.type_subtype == 5 | probe responses | |
wlan.fc.type_subtype == 8 | beacons | |
wlan.fc.type_subtype == 9 | atims | |
wlan.fc.type_subtype == 10 | disassosiations | |
wlan.fc.type_subtype == 11 | authentications | |
wlan.fc.type_subtype == 12 | deauthentications | |
wlan.fc.type_subtype == 13 | actions | |
Wireshark Display Filters related Control frames traffic:
control frames | wlan.fc.type == 1 | all control frames |
wlan.fc.type_subtype == 24 | block ack requests | |
wlan.fc.type_subtype == 25 | block ack | |
wlan.fc.type_subtype == 26 | ps-polls | |
wlan.fc.type_subtype == 27 | rts | |
wlan.fc.type_subtype == 28 | cts | |
wlan.fc.type_subtype == 29 | acks | |
wlan.fc.type_subtype == 30 | cf-ends | |
wlan.fc.type_subtype == 31 | cf-ends/cf-acks |
Wireshark Display Filters related Data frames traffic:
data frames | wlan.fc.type == 2 | all data frames |
wlan.fc.type_subtype == 32 | data frames | |
wlan.fc.type_subtype == 33 | data+cf-ack | |
wlan.fc.type_subtype == 34 | data+cf-poll | |
wlan.fc.type_subtype == 35 | data+cf-ack + cf-ack | |
wlan.fc.type_subtype == 36 | null data | |
wlan.fc.type_subtype == 37 | cf-ack | |
wlan.fc.type_subtype == 38 | cf-poll | |
wlan.fc.type_subtype == 39 | cf-ack + cf-poll | |
wlan.fc.type_subtype == 40 | qos data | |
wlan.fc.type_subtype == 41 | qos data + cf-ack | |
wlan.fc.type_subtype == 42 | qos data + cf-poll | |
wlan.fc.type_subtype == 43 | qos data + cf-ack+ cf-poll | |
wlan.fc.type_subtype == 44 | qos null | |
wlan.fc.type_subtype == 46 | qos cf-poll | |
wlan.fc.type_subtype == 47 | qos cf-ack + cf-poll |
Wireshark Display Filters related Retries:
retry | wlan.fc.retry ==1 | retry frames |
wlan.fc.retry ==1 && wlan.fc.tods ==1 | towards ap | |
wlan.fc.retry ==1 && wlan.fc.fromds ==1 | from ap towards client device |
Wireshark Display Filters related 802.11 k,v,r traffic:
802.11 k,v,r | ||
wlan.fixed.action_code ==23 | 802.11v dms request | |
wlan.fixed.action_code ==24 | 802.11v dms respose | |
wlan.fixed.action_code == 4 | 802.11k neighbour request | |
wlan.fixed.action_code == 5 | 802.11k neighbour response | |
(wlan.fc.type_subtype==0)&&(wlan.rsn.akms.type==3) | 802.11r auth request | |
(wlan.fc.type_subtype==1)&&(wlan.tag.number==55) | 802.11r auth response | |
(wlan.fc.type_subtype==2)&&(wlan.tag.number==55) | 802.11r re-association request | |
(wlan.fc.type_subtype==3)&&(wlan.tag.number==55) | 802.11r re-association response |
wlan.fixed.action_code==7 | BSS Transition (Steering) | |
wlan.fixed.action_code==8 | BSS Transition (Steering) |
Display Filters related Weak signals:
wlan_radio.signal_dbm < -67 | weak signal filter |
wlan.fc.type_subtype == 0x05 && wlan_radio.signal_dbm < -75 | weak prob response |
wlan.fc.type_subtype == 0x04 && wlan_radio.signal_dbm < -75 | weak prob requests |
Some Extras:
wlan.addr == mac address | specific client by mac address |
wlan.ta == mac address | transmitter address |
wlan.ra == mac address | receive address |
wlan.sa == mac address | source address |
wlan.da == mac address | destination address |
wlan.bssid == ap mac address | radio mac address |
wlan.mgt.ssid == “your-ssid” | filter by ssid |
There are some great Wireless traffic filters on wireshark website as well as on WiFi Ninjas Blog Wireshark filters.
wlan.fc.type_subtype == 14 Action No Ack
wlan.fc.type_subtype == 15 Aruba Management
wlan.fc.type_subtype == 16 Unrecognized (Reserved frame)
wlan.fc.type_subtype == 17 Unrecognized (Reserved frame)
wlan.fc.type_subtype == 18 Trigger
wlan.fc.type_subtype == 19 Unrecognized (Reserved frame)
wlan.fc.type_subtype == 20 Beamforming Report Poll
wlan.fc.type_subtype == 21 VHT/HE NDP Announcement
wlan.fc.type_subtype == 23 Control Wrapper
wlan.fc.type_subtype == 24 802.11 Block Ack Req
wlan.fc.type_subtype == 25 802.11 Block Ack
wlan.fc.type_subtype == 26 Power-Save poll
wlan.fc.type_subtype == 27 Request-to-send
wlan.fc.type_subtype == 28 Cear-to-send
wlan.fc.type_subtype == 29 Acknowledgement
wlan.fc.type_subtype == 30 CF-End (Control-frame)
wlan.fc.type_subtype == 31 CF-End + CF-Ack (Control-frame)
wlan.fc.type_subtype == 32 Data
wlan.fc.type_subtype == 33 Data + CT-Ack
…
Thanks for input Odon 🙂
Hi,
How can I find WLAN re-key packets in the Wireshark?
kukhareva.com