Reputation: 14639
pcap (wireshark) filter by wlan mac address
There are (up to) 4 fields in an 802.11 frame that contain mac addresses:
source mactransmitter macdestination macreceiver mac
Is there a pcap capture filter for these values? Something similar to ether host ff:ff:ff:ff:ff:ff, for example.
I've looked at the PCAP-FILTER Manpage and it is unclear.
Upvotes: 3
Views: 4869
Answers (1)
Reputation: 14639
I think I found a solution, thanks to this answer: Server Fault - Is there some capture filter (or alternatives) that is especially useful for wireless capture?.
Source Address:
wlan src XX:XX:XX:XX:XX:XX or wlan sa XX:XX:XX:XX:XX:XX
Destination Address:
wlan dst XX:XX:XX:XX:XX:XX or wlan da XX:XX:XX:XX:XX:XX
Receiver Address:
wlan addr1 XX:XX:XX:XX:XX:XX or wlan ra XX:XX:XX:XX:XX:XX
Transmitter Address:
wlan addr2 XX:XX:XX:XX:XX:XX or wlan ta XX:XX:XX:XX:XX:XX
Support for ra and ta was added to pcap in 2010 per release notes:
Fri. August 6, 2010. [email protected]. Summary for 1.1.2 libpcap release
- Return DLT_ values, not raw LINKTYPE_ values from pcap_datalink() when reading pcap-ng files
- Add support for "wlan ra" and "wlan ta", to check the RA and TA of WLAN frames that have them
- Don't crash if "wlan addr{1,2,3,4}" are used without 802.11 headers
Upvotes: 2
Related Questions
- tshark to split pcap file based on MAC address
- How cab I get MAC address of a selected device in pcap.net
- How to filter MAC addresses using tcpdump?
- C: libpcap doesn't capture wlan0 packets
- How to filter by ethernet MAC address
- wireless sniffing using pcap, MAC address filter
- Python and libpcap. find source mac address of packet
- How do i capture MAC address of Access points and hosts connected to it?
- how to determinate destination MAC address
- Receiving packets for different MAC address