Dumpcap Capture Filter Syntax – WLAN Addr1 Question

ieee 802.11wireshark

I am trying to capture wireless traffic from specified MAC addresses only, and I seem to be using the wrong syntax. When I use:

dumpcap -i wlp2s0 -b filesize:100000 -w capture.pcapng -a duration:18000 -f wlan addr1 d4:be:d9:5b:a6:45

I get:

dumpcap: Invalid argument: d4:be:d9:5b:a6:45

I appear to be getting the syntax that goes after -f incorrect. I am referencing http://www.tcpdump.org/manpages/pcap-filter.7.html which is linked from the WireShark wiki page on dumpcap.

I can't seem to find examples for wireless MAC address capturing, only wired. I'm sure there is something I am missing here.

Follow up question: if I want to sniff for a few MAC addresses, do I separate them with the term, eg: wlan addr1 xx.xx.xx.xx.xx.xx or wlan addr1 xx.xx.xx.xx.xx.zz?

Using wireshark 2.2.6 on Ubuntu 17.04

Best Answer

You are apparently using the -f option incorrectly. This is what the Dumpcap documentation says about it:

-f

Set the capture filter expression.

The entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted).

This option can occur multiple times. If used before the first occurrence of the -i option, it sets the default capture filter expression. If used after an -i option, it sets the capture filter expression for the interface specified by the last -i option occurring before this option. If the capture filter expression is not set specifically, the default capture filter expression is used if provided.

The page that you link also shows the filters as quoted (copied directly from the linked page):

`wlan addr2 0:2:3:4:5:6'.

Try something like:

dumpcap -i wlp2s0 -b filesize:100000 -w capture.pcapng -a duration:18000 -f `wlan addr1 d4:be:d9:5b:a6:45'

Apparently, you can use the filter option multiple times.

Best Answer

Related Solutions

How to Use Wireshark HTTP Filter

WLAN – How to Capture WLAN Probe Requests

Related Topic