Wireshark has two filtering languages: One used when capturing packets, and one used when displaying packets. These display filters are already been shared by clear to send . It was shared as image file so I decided add different filters together and type here so people can just copy paste the filters instead having to type again themselves.
Wireshark Display Filters related management traffic:
wireshark display filters:
| management frames | wlan.fc.type == 0 | all management frames
|
| wlan.fc.type_subtype == 0 | association requests | |
| wlan.fc.type_subtype == 1 | association response | |
| wlan.fc.type_subtype == 2 | re-association request | |
| wlan.fc.type_subtype == 3 | re-association response | |
| wlan.fc.type_subtype == 4 | probe requests | |
| wlan.fc.type_subtype == 5 | probe responses | |
| wlan.fc.type_subtype == 8 | beacons | |
| wlan.fc.type_subtype == 9 | atims | |
| wlan.fc.type_subtype == 10 | disassosiations | |
| wlan.fc.type_subtype == 11 | authentications | |
| wlan.fc.type_subtype == 12 | deauthentications | |
| wlan.fc.type_subtype == 13 | actions | |
Wireshark Display Filters related Control frames traffic:
| control frames | wlan.fc.type == 1 | all control frames |
| wlan.fc.type_subtype == 24 | block ack requests | |
| wlan.fc.type_subtype == 25 | block ack | |
| wlan.fc.type_subtype == 26 | ps-polls | |
| wlan.fc.type_subtype == 27 | rts | |
| wlan.fc.type_subtype == 28 | cts | |
| wlan.fc.type_subtype == 29 | acks | |
| wlan.fc.type_subtype == 30 | cf-ends | |
| wlan.fc.type_subtype == 31 | cf-ends/cf-acks |
Wireshark Display Filters related Data frames traffic:
| data frames | wlan.fc.type == 2 | all data frames |
| wlan.fc.type_subtype == 32 | data frames | |
| wlan.fc.type_subtype == 33 | data+cf-ack | |
| wlan.fc.type_subtype == 34 | data+cf-poll | |
| wlan.fc.type_subtype == 35 | data+cf-ack + cf-ack | |
| wlan.fc.type_subtype == 36 | null data | |
| wlan.fc.type_subtype == 37 | cf-ack | |
| wlan.fc.type_subtype == 38 | cf-poll | |
| wlan.fc.type_subtype == 39 | cf-ack + cf-poll | |
| wlan.fc.type_subtype == 40 | qos data | |
| wlan.fc.type_subtype == 41 | qos data + cf-ack | |
| wlan.fc.type_subtype == 42 | qos data + cf-poll | |
| wlan.fc.type_subtype == 43 | qos data + cf-ack+ cf-poll | |
| wlan.fc.type_subtype == 44 | qos null | |
| wlan.fc.type_subtype == 46 | qos cf-poll | |
| wlan.fc.type_subtype == 47 | qos cf-ack + cf-poll |
Wireshark Display Filters related Retries:
| retry | wlan.fc.retry ==1 | retry frames |
| wlan.fc.retry ==1 && wlan.fc.tods ==1 | towards ap | |
| wlan.fc.retry ==1 && wlan.fc.fromds ==1 | from ap towards client device |
Wireshark Display Filters related 802.11 k,v,r traffic:
| 802.11 k,v,r | ||
| wlan.fixed.action_code ==23 | 802.11v dms request | |
| wlan.fixed.action_code ==24 | 802.11v dms respose | |
| wlan.fixed.action_code == 4 | 802.11k neighbour request | |
| wlan.fixed.action_code == 5 | 802.11k neighbour response | |
| (wlan.fc.type_subtype==0)&&(wlan.rsn.akms.type==3) | 802.11r auth request | |
| (wlan.fc.type_subtype==1)&&(wlan.tag.number==55) | 802.11r auth response | |
| (wlan.fc.type_subtype==2)&&(wlan.tag.number==55) | 802.11r re-association request | |
| (wlan.fc.type_subtype==3)&&(wlan.tag.number==55) | 802.11r re-association response |
| wlan.fixed.action_code==7 | BSS Transition (Steering) | |
| wlan.fixed.action_code==8 | BSS Transition (Steering) |
Display Filters related Weak signals:
| wlan_radio.signal_dbm < -67 | weak signal filter |
| wlan.fc.type_subtype == 0x05 && wlan_radio.signal_dbm < -75 | weak prob response |
| wlan.fc.type_subtype == 0x04 && wlan_radio.signal_dbm < -75 | weak prob requests |
Some Extras:
| wlan.addr == mac address | specific client by mac address |
| wlan.ta == mac address | transmitter address |
| wlan.ra == mac address | receive address |
| wlan.sa == mac address | source address |
| wlan.da == mac address | destination address |
| wlan.bssid == ap mac address | radio mac address |
| wlan.mgt.ssid == “your-ssid” | filter by ssid |
There are some great Wireless traffic filters on wireshark website as well as on WiFi Ninjas Blog Wireshark filters.
wlan.fc.type_subtype == 14 Action No Ack
wlan.fc.type_subtype == 15 Aruba Management
wlan.fc.type_subtype == 16 Unrecognized (Reserved frame)
wlan.fc.type_subtype == 17 Unrecognized (Reserved frame)
wlan.fc.type_subtype == 18 Trigger
wlan.fc.type_subtype == 19 Unrecognized (Reserved frame)
wlan.fc.type_subtype == 20 Beamforming Report Poll
wlan.fc.type_subtype == 21 VHT/HE NDP Announcement
wlan.fc.type_subtype == 23 Control Wrapper
wlan.fc.type_subtype == 24 802.11 Block Ack Req
wlan.fc.type_subtype == 25 802.11 Block Ack
wlan.fc.type_subtype == 26 Power-Save poll
wlan.fc.type_subtype == 27 Request-to-send
wlan.fc.type_subtype == 28 Cear-to-send
wlan.fc.type_subtype == 29 Acknowledgement
wlan.fc.type_subtype == 30 CF-End (Control-frame)
wlan.fc.type_subtype == 31 CF-End + CF-Ack (Control-frame)
wlan.fc.type_subtype == 32 Data
wlan.fc.type_subtype == 33 Data + CT-Ack
…
Thanks for input Odon 🙂
Hi,
How can I find WLAN re-key packets in the Wireshark?
kukhareva.com