wireshark显式过滤器

eth.addr == AA:BB:CC:DD:EE:FF

wlan.addr == AA:BB:CC:DD:EE:FF

wlan.fc.type == 0 // management frame

wlan.fc.type == 1 // control frame

wlan.fc.type == 2 // data frame

wlan.fc.subtype == 4

wlan.fc.type_subtype == 0x00  // mgt assoc req

wlan.fc.type_subtype == 0x01  // mgt assoc rsp

wlan.fc.type_subtype == 0x04  // mgt probe req

wlan.fc.type_subtype == 0x05  // mgt probe rsp

wlan.fc.type_subtype == 0x08  // mgt Beacon

wlan.fc.type_subtype == 0x0A   // mgt Disassoc

wlan.fc.type_subtype == 0x0B   // mgt Auth

wlan.fc.type_subtype == 0x0C   // mgt Deauth

wlan.fc.type_subtype == 0x0D   // mgt Action

wlan.fc.type_subtype == 0x0E   // mgt Action No Ack

wlan.ta == AA:BB:CC:DD:EE:FF

wlan.ra == AA:BB:CC:DD:EE:FF

wlan.da == AA:BB:CC:DD:EE:FF

wlan.addr == AA:BB:CC:DD:EE:FF

wlan.addr contains AA:BB:CC

ip.addr == 1.2.3.4

tcp.port in {80 443 8080}

tcp.port == 80 || tcp.port == 443 || tcp.port == 8080

wlan type and subtype

00 Management 0000 Association request
00 Management 0001 Association response
00 Management 0010 Reassociation request
00 Management 0011 Reassociation response
00 Management 0100 Probe request
00 Management 0101 Probe response
00 Management 0110 Timing Advertisement
00 Management 0111 Reserved
00 Management 1000 Beacon
00 Management 1001 ATIM
00 Management 1010 Disassociation
00 Management 1011 Authentication
00 Management 1100 Deauthentication
00 Management 1101 Action
00 Management 1110 Action No Ack
00 Management 1111 Reserved
 
01 Control 0000–0110 Reserved
01 Control 0111 Control Wrapper
01 Control 1000 Block Ack Request (BlockAckReq)
01 Control 1001 Block Ack (BlockAck)
01 Control 1010 PS-Poll
01 Control 1011 RTS
01 Control 1100 CTS
01 Control 1101 ACK
01 Control 1110 CF-End
01 Control 1111 CF-End + CF-Ack
10 Data 0000 Data
10 Data 0001 Data + CF-Ack
10 Data 0010 Data + CF-Poll
10 Data 0011 Data + CF-Ack + CF-Poll
10 Data 0100 Null (no data)
10 Data 0101 CF-Ack (no data)
10 Data 0110 CF-Poll (no data)
10 Data 0111 CF-Ack + CF-Poll (no data)
10 Data 1000 QoS Data
10 Data 1001 QoS Data + CF-Ack
10 Data 1010 QoS Data + CF-Poll
10 Data 1011 QoS Data + CF-Ack + CF-Poll
10 Data 1100 QoS Null (no data)
10 Data 1101 Reserved
10 Data 1110 QoS CF-Poll (no data)
10 Data 1111 QoS CF-Ack + CF-Poll (no data)
11 Reserved 0000–1111 Reserved

wireshark捕捉过滤器:

在捕捉过滤器中,fddi、tr(Token Ring)、wlan是ether的别名。

type mtg subtype [assoc-req, assoc-resp, reassoc-req, reassoc-resp, probe-req, probe-resp, beacon, atim, disassoc, auth and deauth]

type ctl subtype [rts, cts, ack ...]

type data subtype [data, qos-data, ...]

ether proto [ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp, ipx, or netbeui]

ether proto 0x888e

ether src 11:22:33:44:55:66 and ether dst AA:BB:CC:DD:EE:FF

wlan addr1 11:22:33:44:55:66

wlan addr2 AA:BB:CC:DD:EE:FF

tcp port 23 and not src host 10.0.0.5

expr relop expr  ---     proto [ expr : size ]   ---   proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indicates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.)  --- eg. ip[6:2] & 0x1fff = 0

 

RX MAC ---------- AA:AA:AA:AA:AA:AA
TX Dev MAC ---- BB:BB:BB:BB:BB:BB
TX P2P MAC ---- CC:CC:CC:CC:CC:CC

 

所有的包:

(type ctl && (wlan addr1 AA:AA:AA:AA:AA:AA || wlan addr1 BB:BB:BB:BB:BB:BB || wlan addr1 CC:CC:CC:CC:CC:CC)) || 
(type data && (wlan addr1 AA:AA:AA:AA:AA:AA || wlan addr1 CC:CC:CC:CC:CC:CC)) || 
(type mgt && (
    (wlan addr1 AA:AA:AA:AA:AA:AA && (wlan addr2 BB:BB:BB:BB:BB:BB || wlan addr2 CC:CC:CC:CC:CC:CC)) || 
    (wlan addr2 AA:AA:AA:AA:AA:AA && (wlan addr1 BB:BB:BB:BB:BB:BB || wlan addr1 CC:CC:CC:CC:CC:CC)) || 
    (wlan addr1 FF:FF:FF:FF:FF:FF && (wlan addr2 AA:AA:AA:AA:AA:AA || wlan addr2 BB:BB:BB:BB:BB:BB || wlan addr2 CC:CC:CC:CC:CC:CC))
))

 

关键包:

(ether proto 0x888e && (wlan addr1 AA:AA:AA:AA:AA:AA || wlan addr1 CC:CC:CC:CC:CC:CC)) || 
(type mgt && (
    (wlan addr1 AA:AA:AA:AA:AA:AA && (wlan addr2 BB:BB:BB:BB:BB:BB || wlan addr2 CC:CC:CC:CC:CC:CC)) || 
    (wlan addr2 AA:AA:AA:AA:AA:AA && (wlan addr1 BB:BB:BB:BB:BB:BB || wlan addr1 CC:CC:CC:CC:CC:CC))
))
分类: WIFI

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注