How should I approach learning to work with Wireshark and 802.11 packet captures?

  • 2
  • Question
  • Updated 3 years ago
  • Answered
I'm not comfortable with Wireshark filters, so I'm constantly challenged with not knowing how to filter to find what I'm looking for. I also am currently studying the CWAP, so I don't fully understand 802.11 packets at the detail that I need to.
Photo of Keith Cotterman

Keith Cotterman, Sr System Engineer

  • 5 Posts
  • 1 Reply Like

Posted 3 years ago

  • 2
Photo of Bryan Harkins

Bryan Harkins

  • 20 Posts
  • 15 Reply Likes

Laura Chapel has several articles and books on learning Wireshark.  I would start with her information and really spend some time creating situations within the WLAN and monitoring them.  When you become more familiar with how the traffic looks in given situations in a controlled setting, diagnosing the behavior in a live network will be easier.  You can't bead experience.


Photo of Thomas Bach

Thomas Bach

  • 30 Posts
  • 6 Reply Likes
Laura Chapell's book is a very good start. She uses hands on examples, with sample capture files.
Photo of Remon Braamse

Remon Braamse

  • 11 Posts
  • 4 Reply Likes

Can you tell what book that is? When I search on the internet I see she has 4 books. I am looking voor de the wireshark basics.

Photo of Martin Ericson

Martin Ericson

  • 34 Posts
  • 20 Reply Likes
Google for Wireshark University and you will fins Laura's main site.
She has some free stuff, even webinars and there are also links to order here books. Also Google for Sharkfest some nice presentation there. Even if Laura has published a lot about sniffing there are not taht much about Wireless but at least you get a good start.
Photo of Martin Ericson

Martin Ericson

  • 34 Posts
  • 20 Reply Likes
She covers Wireless in just one chapter in the book. But yo need to read most parts of the book anyway because TCP/IP troubleshooting is the same in wireless and Wireline.
Photo of tonny


  • 1 Post
  • 0 Reply Likes
Laura indeed seems to be leading in that field ;)
But just start with some basics. Download some example traces and compare them with your own real life traces eg use wireshark to analyse the DHCP process on your laptop. Of use a SIP phone and analyse phone calls. 
Photo of Thomas Bach

Thomas Bach

  • 30 Posts
  • 6 Reply Likes
Wireshark (R) 101: Essential Skills for Network Analysis 
Troubleshooting with Wireshark: Locate the Source of Performance Problems
Photo of Matthew Gast

Matthew Gast

  • 284 Posts
  • 63 Reply Likes
Make a cookbook.  I find that a lot of wireshark captures need to do the same thing, so if I sit down and think "how do I make Beacon frames go away" (make sure that the Type/Subtype fields do not equal the value for Beacon), it flows out my fingers because I've typed it so many times.

Here's a suggestion:
  1. Think about all the things you want to learn from captures
  2. Identify what parts of the 802.11 frame you need to match (or not match); you can get the 802.11 spec available for free now
  3. Use the dissector view to see what the name of the field is (I think you can match the whole type/subtype field by referring "wlan.type_subtype").  You can highlight the field in the dissector view, and the status bar at the bottom will tell you the name.  The field itself will be highlighted in the raw data view.
Here are a few assignments to get started with:
  • Don't show me the Beacons
  • Don't show me any ACKs (which are kinda annoying since the ACK doesn't have a sender anyway!)
  • Show me all retransmitted frames
  • Show me all frames transmitted at 1 Mbps (I think this requires getting the interface into a privileged monitor mode to get the radiotap headers)
  • Don't show me any broadcast frames
  • Only show me traffic sent from client devices through the AP