This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Display Filters - Importing Kismet pcapdump - Can I get unique MAC addresses?

0

I have scanned wireless networks (access points) with Kismet. Kismet gives me different files, including pcapdump, which I can open in Wireshark. I am very new to Wireshark, but I am reading and trying to grasp the concepts.

My main goal is to find the percentage of population using different encryption types, like WEP, WPA, WPA2 etc. Can I get such statistics from Wireshark or am I barking up the wrong tree?

Would I start using the Filter Display and get unique MAC addresses first? Or would that be going about it the wrong way?

[The scanning part of my project is now complete. I have 10.000 wireless access points in about 40 different filesets. Eventually they will be merged so no duplicates exist. Right now I feel very lost and overwhelmed with different programs and security terminology, but trying to keep my head above water.]

asked 18 Jun '12, 17:54

Hashes's gravatar image

Hashes
1112
accept rate: 0%

edited 18 Jun '12, 19:07

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

I have got a little further in my research. I am obviously not barking up the wrong tree. I know the information is to be found in Wireshark. But I still need help. So far:

In Wireshark: wlan_mgt.fixed.capabilities.ess and wlan.fc.subtype==8

wlan_mgt.fixed.capabilities.ess because in the management frame under capabilities it states ESS capabilities: Transmitter is an AP.

wlan.fc.subtype==8 because the beacon frame only comes from the AP and I remove all information coming to the AP from other laptops etc.

I am still getting duplicates. (Not identical duplicates, but like 50 beacons from the same APs.)

In Tshark I am getting a little further, when it comes to getting rid of duplicates, but not sure I am grabbing the correct information.

tshark -r ./kis1.pcapdump -T fields -e wlan_mgt.ssid | sort | uniq

Am I on the right track? How can I get unique AP's in Wireshark? Any help is appreciated.

(10 Jul '12, 14:19) Hashes