I realized that, probably since I don't use it every day, each time I use tshark I find myself googling for the right arguments and filters to use. Not to mention, using display filters to find exactly what you're looking for takes a long time (and isn't scriptable).Įnter tshark - the command-line version of Wireshark. Sometimes Wireshark doesn't handle large pcap files gracefully, particularly files over a few GiB. First, as a reminder, let's write all 16 possible values for a nibble in binary, with the 4 values of interest, 2, 6, A and E marked: b3 b2 b1 b0Ī naive approach to filtering would be to simply check all 4 bits of the nibble.
yet? Perhaps an enhancement bug report could be filed for this.Īn aside: How do we know we're looking for patterns where bit 1 is set and bit 0 is not set? Well, the easiest way is probably to draw a Karnaugh Map or "Truth Table". Now, if Wireshark supported the following construct, we could improve the filtering even more: (wlan.ta & 3) = 2.
Since we require both conditions to be true, the expressions must be and'd together, so we end up with the complete filter above, namely (wlan.ta & 2) and !(wlan.ta & 1). This will return true for all bytes where bit 1 is set: (wlan.ta & 2)Īnd this will return true for all bytes where bit 0 is not set: !(wlan.ta & 1) In the case of 2, 6, A and E, all values have bit 1 set to 1 and bit 0 set to 0, so I test each one in turn. But we're not interested in the entire byte, only the least-significant 2 bits of the byte, bits 1 and 0 (with bits number 7 through 0 from left-to-right), so I used the Bitwise And Operator to check each bit of interest. From the above data, it's clear that the only byte of interest is the 1st byte, so I used the Slice Operator to isolate the 1st byte of that field as follows: wlan.ta. Wlan.ta consists of 6 bytes, numbered 0 through 5. Since I don't know what is known already and what isn't, I've tried to explain every detail.įirst off, I didn't bother to look at RFC7402 Section 2.1 as mentioned in Issue 17246 that mentioned I just looked at the patterns of interest, namely: XA:XX:XX:XX:XX:XX Have you tried this? (wlan.ta & 2) and !(wlan.ta & 1)ĮDIT: asked for an explanation, so I've added some more details here.
0 kommentar(er)
