Wireshark 'in' operator

The thing I'm working on has gotten to the point of looking at pcaps. I love a good ol' hexdump (shout out to FreeBSD's in kernel hexdump and honourable mention to printf(9) offering bitfield and byte dump function.

More than a hexdump I love a packet capture. When asked I'll say -xx is my favourite tcpdump flag narrowly beating out -ttttt .

Wireshark expressions can get a bit cumbersome if you are trying to look at many things. Luckily you can use the membership ( in ) operator as a filter . As an example this will give you ieee80211 probe requests, probe responses, assoc requests and responses only requiring you find the types somewhere (like a header file /usr/include/net80211/ieee80211.h ): 

#define IEEE80211_FC0_SUBTYPE_MASK              0xf0
#define IEEE80211_FC0_SUBTYPE_SHIFT             4
/* 802.11-2020 Table 9-1-Valid type and subtype combinations */
/* For type 00 Management (IEEE80211_FC0_TYPE_MGT) */
#define IEEE80211_FC0_SUBTYPE_ASSOC_REQ         0x00    /* Association Request */
#define IEEE80211_FC0_SUBTYPE_ASSOC_RESP        0x10    /* Association Response */
#define IEEE80211_FC0_SUBTYPE_REASSOC_REQ       0x20    /* Reassociation Request */
#define IEEE80211_FC0_SUBTYPE_REASSOC_RESP      0x30    /* Reassociation Response */
#define IEEE80211_FC0_SUBTYPE_PROBE_REQ         0x40    /* Probe Request */
#define IEEE80211_FC0_SUBTYPE_PROBE_RESP        0x50    /* Probe Response */
#define IEEE80211_FC0_SUBTYPE_TIMING_ADV        0x60    /* Timing Advertisement */
/* 0111 Reserved                                0x70 */
#define IEEE80211_FC0_SUBTYPE_BEACON            0x80    /* Beacon */
#define IEEE80211_FC0_SUBTYPE_ATIM              0x90    /* ATIM */
#define IEEE80211_FC0_SUBTYPE_DISASSOC          0xa0    /* Disassociation */
#define IEEE80211_FC0_SUBTYPE_AUTH              0xb0    /* Authentication */
#define IEEE80211_FC0_SUBTYPE_DEAUTH            0xc0    /* Deauthentication */
#define IEEE80211_FC0_SUBTYPE_ACTION            0xd0    /* Action */
#define IEEE80211_FC0_SUBTYPE_ACTION_NOACK      0xe0    /* Action No Ack */

The wireshark values are shifted for a 4 bit field already, that gives us a filter like this: 

wlan.fc.type_subtype in {0x0000, 0x0001, 0x0004, 0x0005}

If you are trying to figure out a filter in wireshark you can always right click and pick Apply as Filter->Selected .

My work on FreeBSD is supported by the FreeBSD Foundation , you can contribute to improving FreeBSD with code, documentation or financially by donating to the Foundation .