["j.snelders" <j.snelders@xxxxxxxxxx>]

Hi Panos,

First question:
You can take a look at The "Filter Expression" dialog box
http://www.wireshark.org/docs/wsug_html_chunked/ChUseFilterToolbarSection.html
http://www.wireshark.org/docs/wsug_html_chunked/ChWorkFilterAddExpressionSection.html

Select:
Fieldname: IEEE 802.11 - IEEE 802.11 wireless LAN -> wlan.fc.type_subtype
Relation: ==

You will see Predefined values at the right side of the dialog box.

Or browse to:
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ieee80211.c?view=markup&pathrev=22102
To find the values search for:  MGT_PROBE_REQ          


Second question:
You can open the capture files with Microsoft Network Monitor 3.3 and filter
on "Description"
http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en


Hope this helps
Joan

On Fri, 14 May 2010 10:49:27 -0400 Anthony Murabito wrote:
>Hi Panos,
>
>The reference table you speak of is formally contained within the IEEE 
>802.11 Standard. There may be some wireshark code you can look at, 
>however, that may map all the type/subtypes out as well. Perhaps someone
>
>on this mailing list can point you to that place, I don't know where it
is.
>
>I don't have a good answer to your second question, however I can answer
>
>the third. Probe Requests & Responses are a generic way for 802.11 
>devices to exchange information. They are packed with information 
>elements which can show security configurations, supported rates, 11n 
>capabilities, proprietary information, etc. They are often used when an

>802.11 device is in "Active Scanning" mode, to find out information 
>about all local basic service sets.
>
>-Anthony
>
>On 05/14/2010 07:13 AM, Panagiotis Georgopoulos wrote:
>> Hello Antony and Guy,
>>
>>    
>>> On May 13, 2010, at 9:11 AM, Anthony Murabito wrote:
>>>
>>>      
>>>> Hi Panos,
>>>>
>>>> wlan.fc.type_subtype != 0x04&&  wlan.fc.type_subtype != 0x05
>>>>        
>>> I.e., 802.11 probe packets don't contain the phrase "probe request" or
>>> "probe response"; those strings are contained, instead, in Wireshark
>>> and TShark (or, rather, in the library that both of them use to dissect
>>> packets), and they use them when displaying the packet summary and
>>> details.  What the probe request and response packets contain (along
>>> with all other 802.11 packets) are a type and subtype field, with
>>> particular values for particular packet types, and what you need to
>>> check for are those packet types.
>>>      
>>
>> Thank you both very much for your replies, they were really helpful! Antony
>> provided a solution to the problem and Guy an explanation;-)
>>
>> I get this know, however :
>>
>> 	a) is there a reference table somewhere that describes these values
>> e.g. that 0x04 is probe request and 0x05 is probe reply?
>> 	b) is there a way to instruct Wireshark to filter based on the info
>> it presents in the info field for a packet? (which is what the user sees,
>so
>> IMHO it makes much more sense)
>> 	c) although this goes beyond the scope of this list, what are these
>> probe request and response 802.11 packets exactly? I was not seeing them
>in
>> previous tests, why did they appear now?
>>
>>
>> 	Thanks a lot in advance,
>> 	Panos
>>
>>
>>    
>___________________________________________________________________________
>Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>Archives:    http://www.wireshark.org/lists/wireshark-users
>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe