Wireshark-users: Re: [Wireshark-users] Basic question about Wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 27 Jul 2011 00:38:30 -0700
On Jul 27, 2011, at 12:13 AM, Frank Walter wrote:

>> Are you talking about capture filter?
>> Unfortunately the capture filter syntax is different from display filter
>> syntax.
>> The capture filter
>>  not ether dest ff:ff:ff:ff:ff:ff
>> should exclude broadcast packets.
> 
> Oh no. This gives me a clear:
> 
> Invalid capture filter: "not ether dest ff:ff:ff:ff:ff:ff"!

The person who said "ether dest" was wrong - it should be "ether dst":

	$ tcpdump -i en1 -d not ether dst ff:ff:ff:ff:ff:ff
	(000) ld [2]
	(001) jeq #0xffffffff jt 2	jf 5
	(002) ldh [0]
	(003) jeq #0xffff jt 4	jf 5
	(004) ret #0
	(005) ret #65535 

> The "problem" is, that the display filter doesn't work. E.g. like this:
> 
> !(eth.dst == ff:ff:ff:ff:ff:ff)
> 
> when I am in Monitor mode.

In monitor mode, you probably have 802.11 headers rather than Ethernet headers, so it's probably

	!(wlan.da == ff:ff:ff:ff:ff:ff)

rather than

	!(eth.dst == ff:ff:ff:ff:ff:ff)

> And I don't know either how to filter all those packets away with another SSID.

The SSID isn't in every packet, so that's not implementable unless the 802.11 dissector were to determine the SSID corresponding to the RA or TA and put it into the 802.11 header as a "generated" field.