Hi there,

When capturing wireless 802.11 packets in Wireshark, is there a way to apply capture filters such as filtering specific SSID's? The NIC is operating in monitor mode so it is capturing broadcast packets from other SSIDs that i do not want.

Any help would be much appreciated.

Thank you.

Wireshark version 1.2.11 Ubuntu 10.10

asked 08 Feb '11, 14:02

taj's gravatar image

taj
1111
accept rate: 0%


Although not really regarding capture filters in wireshark, maybe this helps:

For generating the tracefiles I would recommend using airodumg-ng from the aircrack suite, especially when already running a linux OS.

Sample command for filtering specific SSID would be:

airodumg-ng -c <channelnumber or numbers> --bssid <MAC address of WLAN access point> -w <tracefilename to write to> <interface name of your wireless nic>

e.g. airodumg-ng -c 6 --bssid 00:13:29:11:22:33 -w /usr/sniffer/wireless-trace.pcap

Another advantage is, that airodump only captures one beacon frame per AP, thereby keeping trace fil size and readability much better

link

answered 10 Feb '11, 02:26

Landi's gravatar image

Landi
2.2k51340
accept rate: 28%

Thanks Landi for your reply.

One issue that i am getting is that when i run the above script; i am not getting the transmitted traffic. The test was performed on two machines connected via a ad-hoc connection and they were constantly pinging each other during the airmon-ng capture. However, when i run the tracefile in Wireshark, it does not show the ICMP (ping) packets, it shows the IEEE traffic which is what i want but i also need to see those ICMP packets too. Any ideas??

Really appreciate all your help.

Taj

link

answered 11 Feb '11, 05:08

taj's gravatar image

taj
1111
accept rate: 0%

Sorry for the late answer - been busy...

Do you only see IEEE 802.11 frames ? Because afaik ad-hoc enables WEP encryption thus you see encrypted traffic inside wireshark. Those ICMP packets would then be displayed as 802.11 Data frames.

If that's the case, you would have to enter the encryption key under the protocol preferences of 802.11 and by this enable wireshark to decrypt and display whats inside those frames

(15 Feb '11, 04:32) Landi

Yes, im only seeing the IEEE 802.11 frames but i made sure that there was no security enabled on the adhoc network as i already that i wouldn't see the encrypted content. Any ideas?

Thanks again for your help.

Taj

(15 Feb '11, 09:22) taj

urks... good question - did you completely disable security by setting No encryption and OPEN authentication ? My next guess would be setup was no encryption but shared authentication, which actually is a very weak way of "encrypting" wireless frames...

I just tried to setup ad-hoc to make a test trace, but my smartphone won't do ad-hoc, so next time I got thee stations, I will rerun the setup and take a look at my traces if I see the same problem.

Pls keep me updated on your case

(16 Feb '11, 10:48) Landi

filter: wlan.bssid eq mac_address_of_access_point

link

answered 16 Feb '11, 08:43

vivekjo's gravatar image

vivekjo
1
accept rate: 0%

Yup that's the display filter - taj was looking for a capture filter

(16 Feb '11, 10:24) Landi
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×3

Asked: 08 Feb '11, 14:02

Seen: 6,460 times

Last updated: 16 Feb '11, 10:48

powered by OSQA