Wireshark: 802.11 Frame Display Filters
Introduction
When using a wireless network card in monitor mode (using airmon-ng), Wireshark will not just pick up Ethernet-level frames, but also the raw wireless 802.11 frames. This data is very interesting, but the volumes can be large: wireless Access Points send out a lot of “beacon frames” that you might want to filter.
In this post we provide a list of the most useful Wireshark display filters for 802.11 frames. Use them in Wireshark in the filter field displayed below.
As opposed to capture filters, display filters can be changed on the fly.
802.11 Frame Format
The generic 802.11 frame structure is displayed below. Most of the interesting values are in the Frame Control section, because this section determines the type of the frame.
802.11 Frame Format
Display Filters
wlan.fc.type == 0 Management frames
wlan.fc.type == 1 Control frames
wlan.fc.type == 2 Data frames
wlan.fc.type_subtype == 0 Association request
wlan.fc.type_subtype == 1 Association response
wlan.fc.type_subtype == 2 Reassociation request
wlan.fc.type_subtype == 3 Reassociation response
wlan.fc.type_subtype == 4 Probe request
wlan.fc.type_subtype == 5 Probe response
wlan.fc.type_subtype == 8 Beacon
wlan.addr = 12:34:56:AB:CD:EF Select frames where any of the four address
fields matches the given MAC address.
So if you want to filter out any frame that is a management or control frame, but not a beacon, then you would use the filter:
wc.fc.type != 2 && wlan.fc.subtype == 0x08
For more filtering options check out this excellent 802.11 Pocket_Reference_Guide.
