Re: Basic question about Wireshark

[Guy Harris <guy () alum mit edu>]

On Jul 27, 2011, at 12:13 AM, Frank Walter wrote:

> > Are you talking about capture filter?
> > Unfortunately the capture filter syntax is different from display filter
> > syntax.
> > The capture filter
> >  not ether dest ff:ff:ff:ff:ff:ff
> > should exclude broadcast packets.
>
> Oh no. This gives me a clear:
>
> Invalid capture filter: "not ether dest ff:ff:ff:ff:ff:ff"!

The person who said "ether dest" was wrong - it should be "ether dst":

        $ tcpdump -i en1 -d not ether dst ff:ff:ff:ff:ff:ff
        (000) ld [2]
        (001) jeq #0xffffffff jt 2      jf 5
        (002) ldh [0]
        (003) jeq #0xffff jt 4  jf 5
        (004) ret #0
        (005) ret #65535 

> The "problem" is, that the display filter doesn't work. E.g. like this:
>
> !(eth.dst == ff:ff:ff:ff:ff:ff)
>
> when I am in Monitor mode.

In monitor mode, you probably have 802.11 headers rather than Ethernet headers, so it's probably

        !(wlan.da == ff:ff:ff:ff:ff:ff)

rather than

        !(eth.dst == ff:ff:ff:ff:ff:ff)

> And I don't know either how to filter all those packets away with another SSID.

The SSID isn't in every packet, so that's not implementable unless the 802.11 dissector were to determine the SSID 
corresponding to the RA or TA and put it into the 802.11 header as a "generated" field.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe