pcap (wireshark) 按 wlan mac 地址过滤
pcap (wireshark) filter by wlan mac address
802.11 帧中有(最多)4 个字段包含 mac 个地址:
source mac
transmitter mac
destination mac
receiver mac
是否有针对这些值的 pcap 捕获过滤器?例如类似于 ether host ff:ff:ff:ff:ff:ff
的内容。
我看了PCAP-FILTER Manpage,不清楚。
我想我找到了解决方案,多亏了这个答案:Server Fault - Is there some capture filter (or alternatives) that is especially useful for wireless capture?。
来源地址:
wlan src XX:XX:XX:XX:XX:XX
或 wlan sa XX:XX:XX:XX:XX:XX
目的地地址:
wlan dst XX:XX:XX:XX:XX:XX
或 wlan da XX:XX:XX:XX:XX:XX
收件人地址:
wlan addr1 XX:XX:XX:XX:XX:XX
或 wlan ra XX:XX:XX:XX:XX:XX
发射器地址:
wlan addr2 XX:XX:XX:XX:XX:XX
或 wlan ta XX:XX:XX:XX:XX:XX
根据发行说明,2010 年 pcap 中添加了对 ra 和 ta 的支持:
Fri. August 6, 2010. guy@alum.mit.edu. Summary for 1.1.2 libpcap
release
- Return DLT_ values, not raw LINKTYPE_ values from pcap_datalink() when reading pcap-ng files
- Add support for "wlan ra" and "wlan ta", to check the RA and TA of WLAN frames that have them
- Don't crash if "wlan addr{1,2,3,4}" are used without 802.11 headers
802.11 帧中有(最多)4 个字段包含 mac 个地址:
source mac
transmitter mac
destination mac
receiver mac
是否有针对这些值的 pcap 捕获过滤器?例如类似于 ether host ff:ff:ff:ff:ff:ff
的内容。
我看了PCAP-FILTER Manpage,不清楚。
我想我找到了解决方案,多亏了这个答案:Server Fault - Is there some capture filter (or alternatives) that is especially useful for wireless capture?。
来源地址:
wlan src XX:XX:XX:XX:XX:XX
或 wlan sa XX:XX:XX:XX:XX:XX
目的地地址:
wlan dst XX:XX:XX:XX:XX:XX
或 wlan da XX:XX:XX:XX:XX:XX
收件人地址:
wlan addr1 XX:XX:XX:XX:XX:XX
或 wlan ra XX:XX:XX:XX:XX:XX
发射器地址:
wlan addr2 XX:XX:XX:XX:XX:XX
或 wlan ta XX:XX:XX:XX:XX:XX
根据发行说明,2010 年 pcap 中添加了对 ra 和 ta 的支持:
Fri. August 6, 2010. guy@alum.mit.edu. Summary for 1.1.2 libpcap release
- Return DLT_ values, not raw LINKTYPE_ values from pcap_datalink() when reading pcap-ng files
- Add support for "wlan ra" and "wlan ta", to check the RA and TA of WLAN frames that have them
- Don't crash if "wlan addr{1,2,3,4}" are used without 802.11 headers