Posts

Showing posts with the label capture

Wireshark Capture Filters for 802.11

Image
Generally, when performing over the air captures of WLAN traffic with Wireshark, the workflow adopted is as follows: pick a specific channel where target traffic resides switch the capture adapter to that channel capture all 802.11 traffic over the air on that channel Once a sample of traffic has been captured, the capture is stopped and analysis of the traffic using Wireshark's built-in display filters can begin. In most situations, this is the best workflow to adopt. It ensures that all required frames are captured. Filtering wireless traffic while capturing frames is very problematic due to the complexity of 802.11 frame exchanges. It is very easy to miss parts of interactions between stations if you filter traffic as it is being captured. However, there are a few edge cases where it may be useful to filter over-the-air frames at the point of capture. This will mean that only the filtered frames are available to display in Wireshark - all other frames are lost