802.11 Wireshark Filters

Management Frames

wlan.fc.type == 0

Addresses

Association Request

wlan.fc.type_subtype == 0

MAC address

wlan.addr ==

MAC_address

Association Response

wlan.fc.type_subtype == 1

Transmitter Address (TA)

wlan.ta ==

MAC_address

Reassociation Request

wlan.fc.type_subtype == 2

Receiver Address (RA)

wlan.ra ==

MAC_address

Reassociation Response

wlan.fc.type_subtype == 3

Source Address (SA)

wlan.sa ==

MAC_address

Probe Request

wlan.fc.type_subtype == 4

Destination Address (DA)

wlan.da ==

MAC_address

Probe Response

wlan.fc.type_subtype == 5

Beacon

wlan.fc.type_subtype == 8

Access Points and SSIDs

Disassociation

wlan.fc.type_subtype == 10

BSSID

wlan.bssid ==

AP_radio_MAC_address

Authentication

wlan.fc.type_subtype == 11

SSID

wlan_mgt.ssid ==

SSID

Deauthentication

wlan.fc.type_subtype == 12

Action

wlan.fc.type_subtype == 13

Radio Tap Header

Specific Channel

radiotap.channel.freq ==

frequency

Control Frames

wlan.fc.type == 1

Specific Data Rate

radiotap.datarate ==

rate_in_Mbps

Block ACK Request

wlan.fc.type_subtype == 24

RSSI

radiotap.dbm_antsignal ==

rate_in_dBm

Block ACK

wlan.fc.type_subtype == 25

PS-Poll

wlan.fc.type_subtype == 26

802.11k,v,r

Ready To Send (RTS)

wlan.fc.type_subtype == 27

802.11v DMS request

wlan.fixed.action_code == 23

Clear to Send (CTS)

wlan.fc.type_subtype == 28

802.11v DMS response

wlan.fixed.action_code == 24

ACK

wlan.fc.type_subtype == 29

802.11k Neighbor request

wlan.rm.action_code == 4

802.11k Neighbor response

wlan.rm.action_code == 5

Data Frames

wlan.fc.type == 2

802.11r FT auth req

(wlan.fc.type_subtype==0) && (wlan.rsn.akms.type == 3)

Data

wlan.fc.type_subtype == 32

802.11r FT auth res

(wlan.fc.type_subtype==1) && (wlan.tag.number == 55)

Null

wlan.fc.type_subtype == 36

802.11r FT reassoc req

(wlan.fc.type_subtype==2) && (wlan.tag.number == 55)

QoS Data

wlan.fc.type_subtype == 40

802.11r FT reassoc res

(wlan.fc.type_subtype==3) && (wlan.tag.number == 55)

QoS Null

wlan.fc.type_subtype == 44

Retries

Display Filter Operators Retry

wlan.fc.retry==1

Equal

== eq

Not Equal

!= ne

Weak Signal and Probes

And

&& and

Weak Signal

wlan_radio.signal_dbm < -dB

|| or

Weak Probe responses

wlan.fc.type_subtype == 5 && wlan_radio.signal_dbm < -dB

Xor

^^ xor

Weak Probe requests

wlan.fc.type_subtype == 4 && wlan_radio.signal_dbm < -dB

Not

! not

Contains

wlan.xxx contains "xx:xx"

4-Way Handshake Filter

wlan.addr ==

MAC

&& eapol