When using a wireless network card in monitor mode (using airmon-ng), Wireshark will not just pick up Ethernet-level frames, but also the raw wireless 802.11 frames. This data is very interesting, but the volumes can be large: wireless Access Points send out a lot of “beacon frames” that you might want to filter.
In this post we provide a list of the most useful Wireshark display filters for 802.11 frames. Use them in Wireshark in the filter field displayed below.
802.11 Frame Format
The generic 802.11 frame structure is displayed below. Most of the interesting values are in the Frame Control section, because this section determines the type of the frame.
wlan.fc.type == 0 Management frames wlan.fc.type == 1 Control frames wlan.fc.type == 2 Data frames wlan.fc.type_subtype == 0 Association request wlan.fc.type_subtype == 1 Association response wlan.fc.type_subtype == 2 Reassociation request wlan.fc.type_subtype == 3 Reassociation response wlan.fc.type_subtype == 4 Probe request wlan.fc.type_subtype == 5 Probe response wlan.fc.type_subtype == 8 Beacon wlan.addr = 12:34:56:AB:CD:EF Select frames where any of