802.11 WiFi - Wireshark Cheatsheet
Cheats
- Get rid of beacons, probe requests and probe respons
1
&& (!(wlan.fc.type_subtype == 4 || wlan.fc.type_subtype == 5 || wlan.fc.type_subtype == 8 ))
- Display only connection/disconnection related frames only
1
(wlan.fc.type_subtype == 0 || wlan.fc.type_subtype == 1 || wlan.fc.type_subtype == 2 || wlan.fc.type_subtype == 3 || wlan.fc.type_subtype == 10 || wlan.fc.type_subtype == 11 || wlan.fc.type_subtype == 12 || eapol)
- Auth/Deauth related packets.
1
eapol || wlan.fc.type_subtype == 0 || wlan.fc.type_subtype == 1 || wlan.fc.type_subtype == 2 || wlan.fc.type_subtype == 3 || wlan.fc.type_subtype == 10 || wlan.fc.type_subtype == 11 || wlan.fc.type_subtype == 12
Filters
Management Frames
Used for the control of the wireless network and the devices that connect to it. Management frames can be used for establishing and maintaining connections, as well as for signaling important events like re-association or authentication.
| wlan.fc.type == 0 | All Management Frames | Description |
|---|---|---|
| wlan.fc.type_subtype == 0 | Association Requests | Sent by a client to request association with an access point (AP). |
| wlan.fc.type_subtype == 1 | Association Response | Sent by an AP to indicate the status of an association request from a client. |
| wlan.fc.type_subtype == 2 | Re-association Request | Sent by a client to request re-association with an AP. This is typically used when a client roams from one AP to another within the same network. |
| wlan.fc.type_subtype == 3 | Re-association Response | Sent by an AP to indicate the status of a re-association request from a client. |
| wlan.fc.type_subtype == 4 | Probe Requests | Sent by a client to discover available networks and obtain information about nearby APs. |
| wlan.fc.type_subtype == 5 | Probe Responses | Sent by an AP to provide information about its capabilities and services in response to a Probe Request from a client. |
| wlan.fc.type_subtype == 8 | Beacons | Periodically transmitted by an AP to announce its presence and provide information about the network. |
| wlan.fc.type_subtype == 9 | ATIMs | Used in ad-hoc networks to allocate the medium access time for stations to transmit data. |
| wlan.fc.type_subtype == 10 | Disassociations | Sent by a client or AP to terminate an association and indicate the intention to leave the network. |
| wlan.fc.type_subtype == 11 | Authentications | Used to authenticate a client with an AP. Exchanged before association to provide security in the initial stages of the connection. |
| wlan.fc.type_subtype == 12 | Deauthentications | Sent by a client or AP to terminate an authenticated session, indicating a forced logoff or access denial. |
| wlan.fc.type_subtype == 13 | Actions | Used to exchange vendor-specific or non-standardized messages between clients and APs, providing a mechanism for extending the capabilities of the Wi-Fi network. |
undefined
Control Frames
Control frames are used to manage the transmission of data between wireless devices, and are critical to ensuring that network resources are used efficiently and effectively.
| wlan.fc.type == 1 | All Control Frames | Description |
|---|---|---|
| wlan.fc.type_subtype == 24 | Block Ack Requests | Sent by the receiver to request the sender to acknowledge the successful receipt of multiple frames, optimizing the acknowledgment process by reducing the number of individual acknowledgments. |
| wlan.fc.type_subtype == 25 | Block Ack | Sent by the sender to acknowledge the successful receipt of multiple frames as requested by the Block Ack Request, confirming the successful delivery of a group of frames. |
| wlan.fc.type_subtype == 26 | PS-Polls | Sent by a power-saving station to the access point (AP) to indicate its desire to receive buffered frames, allowing the power-saving station to check for any pending frames while minimizing power consumption. |
| wlan.fc.type_subtype == 27 | RTS (Request-to-Send) | Sent by a sender to request permission to transmit a data frame, used in the RTS/CTS (Request-to-Send/Clear-to-Send) handshake mechanism to avoid collisions in the wireless medium. |
| wlan.fc.type_subtype == 28 | CTS (Clear-to-Send) | Sent by the receiver in response to an RTS frame, granting permission to the sender to transmit a data frame and indicating that the medium is clear for transmission. |
| wlan.fc.type_subtype == 29 | ACKs (Acknowledgments) | Sent by the receiver to acknowledge the successful receipt of a data frame, serving as a positive acknowledgment to inform the sender that the frame was received without errors. |
| wlan.fc.type_subtype == 30 | CF-Ends | Sent by a station to inform other stations that it has finished its contention-free period and the medium is available for contention-based access. |
| wlan.fc.type_subtype == 31 | CF-Ends/CF-Acks | Sent by the access point (AP) to acknowledge the CF-End frame and indicate the end of the contention-free period, used in contention-free access methods to maintain synchronization. |
undefined
Data Frames
Data frames can be used for two main purposes: to transfer information or to trigger an event. It is worth mentioning that not all data frames have a payload. Some of them, referred to as “null data frames”, only have a header and trailer.
| wlan.fc.type == 2 | All Data Frames | Description |
|---|---|---|
| wlan.fc.type_subtype == 32 | Data Frames | Carries data from the sender to the receiver. Used for the transmission of upper-layer protocols such as IP packets. |
| wlan.fc.type_subtype == 33 | Data + CF-ACK | Data frame with a contention-free acknowledgement (CF-ACK) to ensure reliable delivery. |
| wlan.fc.type_subtype == 34 | Data + CF-Poll | Data frame with a contention-free poll (CF-Poll) to request data from another station during a contention-free period. |
| wlan.fc.type_subtype == 35 | Data + CF-ACK + CF-Poll | Data frame with both a contention-free acknowledgement (CF-ACK) and a contention-free poll (CF-Poll) for combined data transmission, acknowledgement, and polling functionality. |
| wlan.fc.type_subtype == 36 | Null Data | Used to maintain synchronization in the wireless network without carrying any payload. |
| wlan.fc.type_subtype == 37 | CF-ACK | Contention-free acknowledgement (CF-ACK) sent to acknowledge the successful receipt of a frame during a contention-free period. |
| wlan.fc.type_subtype == 38 | CF-Poll | Contention-free poll (CF-Poll) sent to request data from another station during a contention-free period. |
| wlan.fc.type_subtype == 39 | CF-ACK + CF-Poll | Combination of a contention-free acknowledgement (CF-ACK) and a contention-free poll (CF-Poll) for both acknowledgement and polling during a contention-free period. |
| wlan.fc.type_subtype == 40 | QoS Data | Carries data with quality of service (QoS) parameters for enhanced services and priority handling. |
| wlan.fc.type_subtype == 41 | QoS Data + CF-ACK | QoS data frame with a contention-free acknowledgement (CF-ACK) for reliable delivery during a contention-free period. |
| wlan.fc.type_subtype == 42 | QoS Data + CF-Poll | QoS data frame with a contention-free poll (CF-Poll) to request QoS data during a contention-free period. |
| wlan.fc.type_subtype == 43 | QoS Data + CF-ACK + CF-Poll | QoS data frame with both a contention-free acknowledgement (CF-ACK) and a contention-free poll (CF-Poll) for combined QoS data transmission, acknowledgement, and polling. |
| wlan.fc.type_subtype == 44 | QoS Null | Used for synchronization purposes in QoS-enabled networks without carrying any payload. |
| wlan.fc.type_subtype == 46 | QoS CF-Poll | QoS contention-free poll (CF-Poll) sent to request QoS data during a contention-free period. |
| wlan.fc.type_subtype == 47 | QoS CF-ACK + CF-Poll | Combination of a QoS contention-free acknowledgement (CF-ACK) and a contention-free poll (CF-Poll) for both acknowledgement and polling in a contention-free period. |
undefined
Extras
| Filter Condition | Category | Description |
|---|---|---|
| wlan.addr == mac address | Specific Client | Filters packets sent by a specific client identified by the MAC address. |
| wlan.ta == mac address | Transmitter Address | Filters packets where the transmitter address matches the specified MAC address. |
| wlan.ra == mac address | Receiver Address | Filters packets where the receiver address matches the specified MAC address. |
| wlan.sa == mac address | Source Address | Filters packets where the source address matches the specified MAC address. |
| wlan.da == mac address | Destination Address | Filters packets where the destination address matches the specified MAC address. |
| wlan.bssid == ap mac address | AP Radio Address | Filters packets sent by a specific AP radio identified by the MAC address. |
| wlan.mgt.ssid == “your-ssid” | SSID | Filters packets based on the specified SSID (network name). |
| wlan.fixed.action_code == 23 | 802.11v DMS Request | Filters 802.11v DMS (Directed Multicast Service) request frames. |
| wlan.fixed.action_code == 24 | 802.11v DMS Response | Filters 802.11v DMS (Directed Multicast Service) response frames. |
| wlan.fixed.action_code == 4 | 802.11k Neighbor Request | Filters 802.11k Neighbor Request frames. |
| wlan.fixed.action_code == 5 | 802.11k Neighbor Response | Filters 802.11k Neighbor Response frames. |
| (wlan.fc.type_subtype==0)&&(wlan.rsn.akms.type==3) | 802.11r Auth Request | Filters 802.11r (Fast Transition) authentication request frames. |
| (wlan.fc.type_subtype==1)&&(wlan.tag.number==55) | 802.11r Auth Response | Filters 802.11r (Fast Transition) authentication response frames. |
| (wlan.fc.type_subtype==2)&&(wlan.tag.number==55) | 802.11r Re-association Request | Filters 802.11r (Fast Transition) re-association request frames. |
| (wlan.fc.type_subtype==3)&&(wlan.tag.number==55) | 802.11r Re-association Response | Filters 802.11r (Fast Transition) re-association response frames. |
| wlan.fc.retry == 1 | Retry Frames | Filters frames that are retried (retransmitted). |
| wlan.fc.retry == 1 && wlan.fc.tods == 1 | Retry Frames (To AP) | Filters frames that are retried (retransmitted) and transmitted towards the AP. |
| wlan.fc.retry == 1 && wlan.fc.fromds == 1 | Retry Frames (From AP) | Filters frames that are retried (retransmitted) and transmitted from the AP towards the client device. |
| wlan.fixed.action_code == 7 | BSS Transition (Steering) Request | Filters BSS Transition (Steering) request frames. |
| wlan.fixed.action_code == 8 | BSS Transition (Steering) Response | Filters BSS Transition (Steering) response frames. |
undefined
Display Filter Macros
Display Filter Macros are a mechanism to create shortcuts for complex filters. For example, defining a display filter macro named tcp_conv whose text is
1
(wlan.addr == $1 && wlan.addr == $2) || (wlan.addr == $2 && wlan.addr == $1 && wlan.type.eq(0) && wlan.fc.type_subtype == 0x1D)
Packet Colorization
To add, goto View → Coloring Rules → Import
Click here to download
View content
```yaml # DO NOT EDIT THIS FILE! It was created by Wireshark @Bad [email protected] && !tcp.analysis.window_update && !tcp.analysis.keep_alive && !tcp.analysis.keep_alive_ack@[4626,10023,11822][63479,34695,34695] @HSRP State [email protected] != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092] @Spanning Tree Topology [email protected] == 0x80@[4626,10023,11822][65535,64764,40092] @OSPF State [email protected] != 1@[4626,10023,11822][65535,64764,40092] @ICMP [email protected] eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4@[4626,10023,11822][47031,63479,29812] @ARP@arp@[64250,61680,55255][4626,10023,11822] @ICMP@icmp || icmpv6@[64764,57568,65535][4626,10023,11822] @TCP [email protected] eq 1@[42148,0,0][65535,64764,40092] @SCTP [email protected]_type eq ABORT@[42148,0,0][65535,64764,40092] @TTL low or unexpected@( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim && !ospf) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp))@[42148,0,0][60652,61680,60395] @Checksum [email protected]=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695] @SMB@smb || nbss || nbns || netbios@[65278,65535,53456][4626,10023,11822] @HTTP@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822] @DCERPC@dcerpc@[51143,38807,65535][4626,10023,11822] @Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822] @TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822] @TCP@tcp@[59367,59110,65535][4626,10023,11822] @UDP@udp@[56026,61166,65535][4626,10023,11822] @Broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774] @System Event@systemd_journal || sysdig@[59110,59110,59110][11565,28527,39578] @802.11 Retry [email protected] == 1@[65535,8738,8738][0,0,0] @Device Going To [email protected] == 1@[0,0,65535][65535,65535,65535] @802.11 [email protected]_subtype == 8@[65535,65535,0][0,0,0] @802.11 Probe [email protected]_subtype == 4@[53199,62708,65535][0,0,0] @802.11 Probe [email protected]_subtype == 5@[39321,58596,65535][0,0,0] @802.11 [email protected]_subtype == 11@[9509,38550,65535][0,0,0] @802.11 Association [email protected]_subtype == 0@[47288,53713,65535][0,0,0] @802.11 Association [email protected]_subtype == 1@[33667,43690,65535][0,0,0] @802.11 ReAssociation [email protected]_subtype == 2@[47288,53713,65535][0,0,0] @802.11 ReAssociation [email protected]_subtype == 3@[33667,43690,65535][0,0,0] @EAP@eap@[0,0,0][9766,65535,0] @EAPOL@eapol@[0,0,0][9766,65535,0] @802.11 QoS Data [email protected]_subtype == 40@[0,49087,3855][0,0,0] @802.11 QoS Data + [email protected]_subtype == 41@[13621,56797,16705][0,0,0] @802.11 QoS Data + [email protected]_subtype == 42@[13621,56797,16705][0,0,0] @802.11 QoS Data + CF-Ack + [email protected]_subtype == 43@[13621,56797,16705][0,0,0] @QoS CF-Poll No [email protected]_subtype == 46@[31868,65021,35723][0,0,0] @802.11 QoS Data + CF-Ack + CF-Poll No [email protected]_subtype == 47@[31868,65021,35723][0,0,0] @802.11 QoS NULL [email protected]_subtype == 44@[31868,65021,35723][0,0,0] @802.11 NULL [email protected]_subtype == 36@[31868,65021,35723][0,0,0] @802.11 [email protected]_subtype == 29@[53199,65535,19275][0,0,0] @802.11 [email protected]_subtype == 28@[60395,49344,30069][0,0,0] @802.11 [email protected]_subtype == 27@[51914,42405,25957][0,0,0] @Aruba ARM Over-The_Air [email protected]_subtype == 15@[65535,36494,771][0,0,0] @802.11 Power-Save [email protected]_subtype == 26@[11051,19275,65535][0,0,0] @Beamforming Report [email protected]_subtype == 20@[28527,65535,65535][0,0,0] @VHT NDP [email protected]_subtype == 21@[10537,62965,65535][0,0,0] @VHT Compressed Beamforming [email protected] == 0@[8995,55512,57054][0,0,0] @VHT Group ID [email protected] == 1@[7453,47288,47802][0,0,0] @802.11 [email protected]_subtype == 10@[65535,16962,44461][0,0,0] @802.11 [email protected]_subtype == 12@[65535,0,39321][0,0,0] @Block Ack [email protected]_subtype == 24@[60652,55512,65535][0,0,0] @Block Ack [email protected]_subtype == 25@[54741,44975,65535][0,0,0] @AddBA [email protected]_code == 0@[60652,55512,65535][0,0,0] @AddBA [email protected]_code == 1@[54741,44975,65535][0,0,0] @[email protected]_code == 2@[46260,19275,65535][0,0,0] @11v BSS Transition Mgmt [email protected]_code == 6@[34695,65535,55255][0,0,0] @11v BSS Transition Mgmt [email protected]_code == 7@[29041,54998,46517][0,0,0] @11v BSS Transition Mgmt [email protected]_code == 8@[22873,43176,36494][0,0,0] !@11k Radio Measurement [email protected]_code == 0@[65535,58082,61166][0,0,0] !@11k Radio Measurement [email protected]_code == 1@[65535,44204,50629][0,0,0] !@11k Link Measurement [email protected]_code == 2@[65535,58082,61166][0,0,0] !@11k Link Measurement [email protected]_code == 3@[65535,44204,50629][0,0,0] !@11k Neighbor Report [email protected]_code == 4@[65535,58082,61166][0,0,0] !@11k Neighbor Report [email protected]_code == 5@[65535,44204,50629][0,0,0] !@Bad [email protected] && !tcp.analysis.window_update@[4626,10023,11822][63479,34695,34695] !@HSRP State [email protected] != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092] !@Spanning Tree Topology [email protected] == 0x80@[4626,10023,11822][65535,64764,40092] !@OSPF State [email protected] != 1@[4626,10023,11822][65535,64764,40092] !@ICMP [email protected] eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4@[4626,10023,11822][47031,63479,29812] !@ARP@arp@[64250,61680,55255][4626,10023,11822] !@ICMP@icmp || icmpv6@[64764,57568,65535][4626,10023,11822] !@TCP [email protected] eq 1@[42148,0,0][65535,64764,40092] !@SCTP [email protected]_type eq ABORT@[42148,0,0][65535,64764,40092] !@TTL low or unexpected@( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim && !ospf) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp))@[42148,0,0][60652,61680,60395] !@Checksum [email protected]=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695] !@SMB@smb || nbss || nbns || nbipx || ipxsap || netbios@[65278,65535,53456][4626,10023,11822] !@HTTP@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822] !@IPX@ipx || spx@[65535,58339,58853][4626,10023,11822] !@DCERPC@dcerpc@[51143,38807,65535][4626,10023,11822] !@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822] !@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822] !@TCP@tcp@[59367,59110,65535][4626,10023,11822] !@UDP@udp@[56026,61166,65535][4626,10023,11822] !@Broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774] ```
This post is licensed under
CC BY 4.0
by the author.