The intent of this article is to provide some simple tips on how to better implement filters in Wireshark to be sure the intended results are achieved.
I’m going to show some helpful filtering techniques that can be used when performing and analyzing captures. Applying filters properly is important to be sure you are seeing all of the intended frames. Properly using parenthesis to group your filter elements is important. These methods are based off using simple logic structures and allow applied filters to produce the desired results. The logic structures are part of the foundation for computer science. Included at the bottom are some links to the logic books I used to gain a deeper understanding. I’m not going to dive into the logic structures but will show some examples for applying them. Be sure to note the placement or lack of parenthesis in each example. In the examples producing desired results, the last filter can also be enclosed in parenthesis and the yield the same results.
Suppose you want to see all traffic to or from a specific wireless client. As we know, there can be as many as four addresses used in an 802.11 frame – RA, TA, SA, DA. When filtering a frame capture, you can include all of these to make sure you’re seeing all the frames to and from the specified address. If you’ve ever done the filters incorrectly, you may have wondered why you’re seeing frames you didn’t intend to see or you’re not seeing frames you thought you would. Proper grouping of the filter values with parenthesis must be done to avoid ambiguity in the results.
The examples included below were produced from a frame capture with 16885 frames. In all examples, I’ll be filtering for the specified address, looking for frames with SNR above 25 dB. I’ve included the filter in text format in addition to the screenshots in case anyone is inclined to copy the filters.
Example 1 – Filtering for TA/SA – No parenthesis
First – Undesired results
wlan.ta == bc:f1:71:f3:be:f7 or wlan.sa == bc:f1:71:f3:be:f7 and wlan_radio.snr > 25
- Displays 1898/16885 frames, many of which have SNR below 25dBm – these are clearly not the desired results.
Versus with desired results – with parenthesis
(wlan.ta == bc:f1:71:f3:be:f7 or wlan.sa == bc:f1:71:f3:be:f7) and wlan_radio.snr > 25
- Displays 4/16885 frames – the expected result for the TA/SA.
Example 2 – Filtering for both the TA/SA and RA/DA – no parenthesis
First – Undesired results
wlan.ta == bc:f1:71:f3:be:f7 or wlan.sa == bc:f1:71:f3:be:f7 or wlan.ra == bc:f1:71:f3:be:f7 or wlan.da == bc:f1:71:f3:be:f7 and wlan_radio.snr > 25
- Displays 3959/16885 frames, many of which have SNR below 25dBm – these are not the desired results
Versus more undesired results – parenthesis used improperly
(wlan.ta == bc:f1:71:f3:be:f7 or wlan.sa == bc:f1:71:f3:be:f7) or (wlan.ra == bc:f1:71:f3:be:f7 or wlan.da == bc:f1:71:f3:be:f7) and wlan_radio.snr > 25
- displays 1903/16885 frames, many of which have SNR below 25dBm, which we were trying to exclude.
Versus desired results Example 1 – appropriately placed parenthesis
((wlan.ta == bc:f1:71:f3:be:f7 or wlan.sa == bc:f1:71:f3:be:f7) or (wlan.ra == bc:f1:71:f3:be:f7 or wlan.da == bc:f1:71:f3:be:f7)) and wlan_radio.snr > 25
- Displays 9/16885 frames – The desired result
Versus desired results Example 2 – with an alternative for how to place parenthesis
(((wlan.ta == bc:f1:71:f3:be:f7) or( wlan.sa == bc:f1:71:f3:be:f7)) or ((wlan.ra == bc:f1:71:f3:be:f7) or (wlan.da == bc:f1:71:f3:be:f7))) and wlan_radio.snr > 25
- Also displays 9/16885 frames all with SNR above 25 dB as desired. This filter is also appropriate!
If you are filtering improperly, you may not be viewing all the relevant frames or may be viewing frames you wish to exclude. This would have a much greater impact when performing filtering during the capture process. When analyzing the captures, if you realize they are not correct, it may require returning to the site to perform additional captures. This can delay a resolution to the problem you are attempting to resolve. If you are attempting the keep the size of your capture file small by filtering only for the desired frames, the captures will grow more quickly than expected. I encourage you to perform some captures and filter to see the behavior for yourself. You may even revisit old captures to see if you were filtering properly.
Resources: