0

Im trying to filter out just he Probes and Broadcast frames on the wifi.

Using SharpPcap.

((SharpPcap.AirPcap.AirPcapDevice)(device)).Filter = "wlan.fc.type eq 0";

does not work

same with

((SharpPcap.AirPcap.AirPcapDevice)(device)).Filter = "wlan.fc.type == 0";

This lines seems to allow Broadcast

((SharpPcap.AirPcap.AirPcapDevice)(device)).Filter = "broadcast";

but need to really get all managent frames.

Justin Boo
  • 10,132
  • 8
  • 50
  • 71
Karl
  • 1
  • 2

1 Answers1

0

I think your problem is the following: Wireshark decodes the packets, so when you apply those filters the packets are already decoded, thus are able to access wlan.fc.type field.

Based on my personal experience and SharpPcap usage, the Filter you're trying to use is computed on a byte[], so you need to be way more specific to be sure it's applied properly.

For example, I've been using this filter for my purpose.

private const String filteringSV = "(ether[0:4] = 0x010CCD04)";

Additionally, remember to set the filter only on an already opened device.

if (nicToUse != null)
         {
            try
            {
               nicToUse.OnPacketArrival -= OnPackectArrivalLive;
               nicToUse.OnPacketArrival += OnPackectArrivalLive;
               try
               {
                  if (nicToUse.Started)
                     nicToUse.StopCapture();
                  if (nicToUse.Opened)
                     nicToUse.Close();
               }
               catch (Exception)
               {
                  //no handling, just do it.
               }

               nicToUse.Open(OpenFlags.Promiscuous|OpenFlags.MaxResponsiveness,10);                 

               nicToUse.Filter = "(ether[0:4] = 0x010CCD04)";

               nicToUse.StartCapture();
            }
            catch (Exception ex)
            {
               throw new Exception(Resources.SharpPCapPacketsProducer_Start_Error_while_starting_online_capture_, ex);
            }
         }

Hope it helped.

Lorenzo Santoro
  • 464
  • 1
  • 6
  • 16