Finding Neighbor Reports in a Wireshark capture

I was looking through a packet frame capture today and noticed some Neighbor reports for the first time. While I had the opportunity I thought it would be useful to grab the Wireshark filter for them. I then did way too much thinking and realised I should put them into a blog post.

Note: I will now revert to the queens English and return the U’s into the word Neighbour.

Here is a Neighbour Report Request going out from a client and the Neighbour Report Response coming back from the AP.

 

They can be hard to spot because the frame type is an Action frame. You won’t see anything about Neighbour Reports in the standard Wireshark view. However, Neighbour Reports are a two way transaction (Request+Response), unlike most Action frames, so they can be easier to spot when scrolling through.

Notice the actions frames are Acknowledged by the destination. You can also tell which SSID the Request was for as well.

Here is a the contents of the Neighbour Request frame.

You can see it is an Action frame with an Action Code of 4. That is useful for our filter later. You can also tell the SSID the Request was for specifically.

And here is the Neighbour Report Response from the AP.

The Response contains a bunch of potential BSSID’s (AP’s) the client could Probe for. It is possible to expand the BSSID Information field and see things like if QoS and APSD are enabled on that BSSID.

So, how do you filter your thousands of frames so you can easily find these Neighbour Requests and Responses?

The field name in Wireshark is ‘wlan.rm.action_code’.

So if you just want to see Requests you can use filter ‘wlan.rm.action_code == 4’ (remember noting the Action Code earlier?). If you want to see only Responses you can use filter ‘wlan.rm.action_code == 5’.

But to me, you might as well look at both Requests and Responses together. So I would always use filter ‘wlan.rm.action_code == 4 or wlan.rm.action_code == 5’ like the image below.

I added the Action Code field as a column so it is even easier to spot the difference between the Request and Response, although the Response won’t contain the SSID in the Info column.

Leave a Reply

Your email address will not be published. Required fields are marked *