Networking
25 November 2011 0 Comments

Wireshark: 802.11 Frame Display Filters

Introduction

When using a wireless network card in monitor mode (using airmon-ng), Wireshark will not just pick up Ethernet-level frames, but also the raw wireless 802.11 frames. This data is very interesting, but the volumes can be large: wireless Access Points send out a lot of “beacon frames” that you might want to filter.

In this post we provide a list of the most useful Wireshark display filters for 802.11 frames. Use them in Wireshark in the filter field displayed below.

802.11 Frame Format

The generic 802.11 frame structure is displayed below. Most of the interesting values are in the Frame Control section, because this section determines the type of the frame.

Display Filters

wlan.fc.type == 0           Management frames
wlan.fc.type == 1           Control frames
wlan.fc.type == 2           Data frames
wlan.fc.type_subtype == 0   Association request
wlan.fc.type_subtype == 1   Association response
wlan.fc.type_subtype == 2   Reassociation request
wlan.fc.type_subtype == 3   Reassociation response
wlan.fc.type_subtype == 4   Probe request
wlan.fc.type_subtype == 5   Probe response
wlan.fc.type_subtype == 8   Beacon
 
wlan.addr = 12:34:56:AB:CD:EF  Select frames where any of

Tags: 802.11, 802.11 frame, , beacon, display filters, fc.type, frame control, pocket reference, subtype, , ,
Security
3 April 2011 1 Comment

Sniffing Wireless Traffic With Backtrack

Introduction

Picking up traffic that is not destined for your MAC address on a network interface is generally done by putting the interface in promiscuous mode. On a wired Ethernet interface this works fine. However, in the case of wireless 802.11 traffic, there is a lot of traffic that promiscuous mode will not pick up.

In order to detect all packets in the air, even those that are not associated with an access point or ad-hoc network, you will need a chipset that supports monitor mode. This guide describes how to enable monitor mode on Backtrack 4, with the Intel Wireless Lan 3945 chipset. However, it should work for most Linux/WLAN card combinations, assuming your kernel supports the WLAN card and your wireless chipset supports monitor mode.

Enabling Monitor Mode

Fire up Wireshark and try to capture on your wireless network interface (in my case it was called wlan0). You will probably only see your own traffic. Now we will use the aircrack-ng package to create a new interface in monitor mode, that will pass ALL traffic in the air to Wireshark.

$ airmon-ng start wlan0

This creates a new interface called mon0. Now start a capture with Wireshark on that interface (be sure promiscuous mode…

Tags: , , , , , ,