Hi ,

I am trying to use AirPcap to sniff wireless packets using t-shark but I cannot save the capture and use a filter together

C:\Program Files\Wireshark>tshark.exe -a "duration:5" -R "wlan.fc.type_subtype = = 0x08" -i 1 -w D:tshark.cap

tshark: Read filters aren't supported when capturing and saving the captured packets.

So I use t-shark only to capture packets and later try to filter it using rawshark

C:\Program Files\Wireshark>tshark.exe -a "duration:5" -i 1 -w D:tshark.cap

C:\Program Files\Wireshark>rawshark -R "wlan.fc.type_subtype == 0x08" -d encap:105   -r d:\tshark.cap -s -p  -l

Unfortunately the output of the command makes no sense. I am trying to sniff beacons but all I get is a set of 0's

Has anyone tried filtering using tshark or rawshark.

BTW I am trying tshark because I plan to use it in automation. Pls also suggest any better way to do so if any but by command line

Regards TroubledUser

asked 10 Jun '12, 23:30

Trouble%20User's gravatar image

Trouble User
1112
accept rate: 0%

edited 11 Jun '12, 08:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
18.9k733181

Hi Fellow techies ,

Thanks for your replies but it still does not solve my problem .

I still need to know how to filter packets from the capture file because once I get a capture of beacons , based on my script I may need to filter more paramters . I cannot re-run t-shark because I need a single sample of packets and then run multiple filters on them.

To quote an example : 1. I get a capture of 500 beacon packets 2. From 500 Beacons I need to check configurations of 4 "SSID" like beacon interval , capability info 3. So I cannot re-run t-shark 4 times because I am doing some changes on the AP and want to capture the info on all 4 SSID simultaneously.

So your solution on capturing packets holds true if capture needed is only beacons. But here within beacon packets I need 4 Different SSID and their info. I wish to know how to apply a filter to a capture file

Regards Troubled User

(11 Jun '12, 19:20) Trouble User

So capture your beacons and then filter the capture file:

  1. tshark.exe -a "duration:5" -i 1 -f "type mgt subtype beacon" -w D:tshark.cap
  2. tshark -r D:tshark.cap -T fields -e wlan_mgt.ssid -e wlan_mgt.fixed.capabilities

Or if you want to capture packets other than just beacons, then you can apply the display filter to the capture file afterwards:

  1. tshark.exe -a "duration:5" -i 1 -w D:tshark.cap
  2. tshark.exe -r D:tshark.cap -R "wlan.fc.type_subtype == 0x08" -T fields -e wlan_mgt.ssid -e wlan_mgt.fixed.capabilities

Refer to the tshark man page for more information.

link

answered 12 Jun '12, 09:23

cmaynard's gravatar image

cmaynard ♦
6.2k725106
accept rate: 17%

edited 12 Jun '12, 09:26

If you want to see beacon frames, please try this:

tshark -r d:\tshark.cap -R "wlan.fc.type_subtype == 0x08"

The output should look similar to this:

1 0.000000 Z-Com_01:02:03 -> Broadcast 802.11 218 Beacon frame, SN=1740, FN=0, Flags=........, BI=200, SSID=WLAN_TEST

Regards
Kurt

link

answered 11 Jun '12, 08:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
18.9k733181
accept rate: 15%

edited 11 Jun '12, 08:44

Try using tshark instead of rawshark, as in:

`tshark -r d:\tshark.cap -R "wlan.fc.type_subtype == 0x08"`

Or, if you really only want to capture beacons, you can use a capture filter to do it instead of a display filter. I can't try this command myself at the moment, but this should work:

tshark.exe -a "duration:5" -i 1 -f "type mgt subtype beacon" -w D:tshark.cap

Unfortunately, the pcap-filter man page is not yet accessible from tcpdump's website, but you can reference it here instead: http://www.manpagez.com/man/7/pcap-filter/.

For more helpful filtering tips related to this topic, you might also refer to Joke Snelder's "Wireless Display and Capture Filters Samples" article on lovemytool.

link

answered 11 Jun '12, 08:47

cmaynard's gravatar image

cmaynard ♦
6.2k725106
accept rate: 17%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×390
×5
×2

Asked: 10 Jun '12, 23:30

Seen: 2,970 times

Last updated: 12 Jun '12, 09:26

powered by OSQA