80211 wireshark着色规则

使用方法：

1. 新建文件coloring.wireshark，将如下代码片段粘贴进去。保存

# This file was created by Wireshark. Edit with care.
@Bad TCP@tcp.analysis.flags@[0,0,0][65535,24415,24415]
@HSRP State Change@hsrp.state != 8 && hsrp.state != 16@[0,0,0][65535,63222,0]
@Spanning Tree Topology  Change@stp.type == 0x80@[0,0,0][65535,63222,0]
@OSPF State Change@ospf.msg != 1@[0,0,0][65535,63222,0]
@ICMP errors@icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11@[0,0,0][0,65535,3598]
@ICMP_NOREP@icmp.resp_not_found@[51914,22102,64250][65535,65535,65535]
@ARP@arp@[54998,59624,65535][0,0,0]
@RS@icmpv6.type == 133@[59367,29298,56797][65535,0,7453]
@RA@icmpv6.type ==134@[63479,31097,52685][0,2313,65535]
@NS@icmpv6.type == 135@[58596,29298,59367][62194,65535,0]
@NA@icmpv6.type == 136@[57568,30069,60138][771,59367,62194]
@IPv6@ip.version == 6@[44975,30069,54998][17219,13107,28784]
@ICMP@icmp@[49858,49858,65535][0,0,0]
@TCP RST@tcp.flags.reset eq 1@[37008,0,0][65535,63222,32896]
@TTL low or unexpected@( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5) || (ip.dst == 224.0.0.0/24 && ip.ttl != 1)@[37008,0,0][65535,65535,65535]
!@Checksum Errors@cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1@[0,0,0][65535,24415,24415]
@SMB@smb || nbss || nbns || nbipx || ipxsap || netbios@[65535,64250,39321][0,0,0]
!@HTTP@http || tcp.port == 80@[36237,65535,32639][0,0,0]
@IPX@ipx || spx@[65535,58339,58853][0,0,0]
@DCERPC@dcerpc@[51143,38807,65535][0,0,0]
@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || gvrp || igmp || ismp@[65535,62451,54998][0,0,0]
@TCP SYN/FIN@tcp.flags & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][0,0,0]
!@TCP@tcp@[59367,59110,65535][0,0,0]
@Broadcast@eth[0] & 1@[65535,65535,65535][32896,32896,32896]
@SIP@sip@[8481,47802,45489][65535,65535,65535]
!@CAPWAP-CTRL_from_AP@udp.dstport == 5246@[65535,58596,0][0,0,0]
@Beacon@wlan.fc.type_subtype == 0x08@[32896,51657,33410][0,0,0]
@Probe Request@(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x04)@[65535,514,0][65535,65535,65535]
@Probe Response@(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x05)@[38293,30069,65535][65535,65535,65535]
@Association Request@(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x00)@[65535,20303,26471][0,0,0]
@Association Response@(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x01)@[25700,35466,65535][0,0,0]
@Reassociation Request@(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x02)@[58853,25186,28013][65535,65535,65535]
@Reassociation Response@(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x03)@[23130,26471,65535][65535,65535,65535]
!@ADDBA_Req@(((wlan_mgt.fixed.category_code == 3) && (wlan.fc.subtype == 13)) && (wlan.fc.type == 0)) && (wlan_mgt.fixed.action_code == 0x00)@[65535,5397,50115][4369,65021,33410]
!@ADDBA_Resp@(((wlan_mgt.fixed.category_code == 3) && (wlan.fc.subtype == 13)) && (wlan.fc.type == 0)) && (wlan_mgt.fixed.action_code == 0x01)@[19532,0,65535][7453,62965,0]
!@DELBA@(((wlan_mgt.fixed.category_code == 3) && (wlan.fc.subtype == 13)) && (wlan.fc.type == 0)) && (wlan_mgt.fixed.action_code == 0x02)@[60138,28013,65535][0,65535,19275]
@Disassociate@(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0a)@[45489,27499,53199][65535,65535,65535]
@Authentication@(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0b)@[63736,40092,3084][65535,65535,65535]
@Deauth@(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)@[41634,7967,60652][65535,65535,65535]
@ACK@(wlan.fc.type == 1)&&(wlan.fc.subtype == 13)@[41377,41377,41377][65535,65535,65535]
@BA@(wlan.fc.type == 1)&&(wlan.fc.subtype == 9)@[28527,28527,28527][6168,64764,20303]
@RTS@(wlan.fc.type == 1)&&(wlan.fc.type_subtype == 0x1b)@[65535,19532,60652][65535,65535,65535]
@CTS@(wlan.fc.type == 1)&&(wlan.fc.type_subtype == 0x1c)@[32125,41891,59881][65535,65535,65535]
@BA_Request@(wlan.fc.type == 1)&&(wlan.fc.subtype == 8)@[56540,14392,14392][3341,63993,5654]
@EAPOL-START@eapol.type == 1@[60138,52171,20303][0,0,0]
@CAPWAP_Heartbeat@(frame.len==123)&&(dtls.record.content_type == 23)@[65535,17219,8995][65535,65535,65535]
@CAPWAP_FastHeartBeat@(frame.len==139)&&(dtls.record.content_type == 23)@[61937,9766,13621][65535,65535,65535]
@LWAPP_Heartbeat_Req@lwapp.control.type == 22@[57311,10280,10280][65535,65535,65535]
@LWAPP_Heartbeat_Resp@lwapp.control.type == 23@[13364,16962,55255][65535,65535,65535]
@LWAPP_FastHearbeat_Req@lwapp.control.type == 64@[55255,27756,22359][63479,63479,63479]
@LWAPP_FastHeartbeat_Resp@lwapp.control.type == 65@[26728,29298,61680][65535,65535,65535]
@CAPWAP-CTRL_from_WLC@udp.srcport == 5246@[32639,33924,62708][0,0,0]
@SSL@ssl@[34695,54227,14135][13107,16191,50629]
@EAP-TLS@eap.type == 13@[15420,55255,20560][0,15163,65535]
@TLS@ssl.record.content_type == 22@[59624,53199,39835][0,0,0]
@EAP@eapol.type == 0@[63993,65535,0][0,0,0]
@RADIUS-Resp@eap.code == 2@[59110,27499,27499][65535,65535,65535]
@EAP-Success@eap.code == 3@[59110,58082,19532][8738,16962,65535]
@WLCCP_EAP-Success@(wlccp.eap_msg >= 03:00:00:00)&&(wlccp.eap_msg <= 03:ff:ff:ff)@[62708,64764,26471][11051,4883,65021]
@WLCCP_EAP-Failure@(wlccp.eap_msg >= 04:00:00:00)&&(wlccp.eap_msg <= 04:ff:ff:ff)@[57311,59624,19789][65535,16705,16705]
@WLCCP_Deregist_Deauth@wlccp.base_message_type == 0x04@[63736,54484,28527][53456,2313,2313]
@4way-PMK@eapol.keydes.type == 2@[65535,30840,40606][65535,65535,65535]
@802.1X Key@eapol.type == 3@[57311,23644,42405][65535,65535,65535]
@Sleep@(wlan.fc.type == 2)&&(wlan.fc.subtype == 4)&&(wlan.fc.ds == 0x01) && (wlan.fc.pwrmgt == 1)@[65535,65535,65535][65535,35209,0]
@QoS Sleep@(wlan.fc.type == 2)&&(wlan.fc.subtype == 12)&&(wlan.fc.ds == 0x01) && (wlan.fc.pwrmgt == 1)@[65535,65535,65535][65535,30069,0]
@STA->DS@wlan.fc.ds == 0x01@[65535,65535,65535][65535,0,2056]
@DS->STA@wlan.fc.ds == 0x02@[65535,65535,65535][0,11565,65535]
@Retry@wlan.fc.retry == 1@[65535,65535,65535][33410,33410,33410]
@CAPWAP-DATA_KEEP-ALIVE@capwap.header.flags.k == 1@[7710,57311,21074][0,0,0]
@CAPWAP-DATA_from_AP@udp.dstport == 5247@[17476,49087,14135][0,0,0]
@RRM_Neighbor_PKT@wlan.da == 01:0b:85:00:00:00@[25957,39835,41634][0,14649,65535]

2. 打开wireshark软件，视图->着色规则->Import…，然后选择刚才创建的文件。
3. 效果展示：