WLAN Analysis with Wireshark (Frame Section, Part 3)

Most of the Wireshark files come with a large number of captured frames. Even though it is organized by the number of frames, by default, it is difficult to locate any single item.

By marking a specific frame, it gives us an easier way to identify that frame in later analysis. The function of "Marking Packets" is under the menu of "Edit." As it is illustrated from below image screen shot, we are able to see the available options of

• Mark/Unmark Packet
• Mark All Displayed
• Unmark All Displayed
• ....

Take Frame 6 as an example, as shown in below diagram, the frame is not marked. (Frame is marked: False)

By clicking the menu to activate the marking function, it (the marked packet) will be shown with black background. In addition, the underneath description is saying "Frame is marked: True"

As you can see, Frame 6 is a Probe Response frame, coming from an Access Point (MAC ended with 0C:67:58) to the destination of a STA (MAC ended with C1:96:C4). Then, we would like to explore our interests in all of the Probe Response frames, with the same source/destination, by making those frames. As shown here in the below diagram (Out of those 5 frames, three are re-transmission frames).

Once your analysis work is done, of course, you can exercise the function of "Unmark All Displayed" (under Edit menu) to reset the mark state of all packets.