Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

You are going to have to decrypt prior to filtering. Have a look at this answer: https://osqa-ask.wireshark.org/questions/24249/decrypt-wpa-with-tshark

I'm not sure it will meet your needs but it is a start - it may only work on capture files already collected, not decrypt --> filter --> store.

If it works, this capture scheme falls into the category of 'just because you can doesn't mean you should'. What do you think will happen when your capture system misses an EAPOL frame? Packet loss is a big issue with wireless networks, so your whole scheme will cease to work until the next plain text EAPOL handshake comes through cleanly. You have already chased packet loss in one of your previous questions, but that was a decrypted data packet. If you miss an EAPOL frame then you can't decrypt at all. If you move to WPA2-Enterprise, the EAPOL handshake will not be enough, either, to decrypt as the PMK is not precomputed (perhaps not a problem in your use case). Also note that most wifi systems have session timeouts which trigger rekeys at certain intervals; sometimes, these rekey events are encrypted themselves, so the next 4-way EAPOL handshake to freshen the PTK and GTK is itself encrypted with the previous PTK. So it's a daisy chain: if you miss one, you would not get the subsequent ones until the wireless client gets a deauth() and the EAPOL handshake occurs unencrypted.

May I suggest you move to a wired capture? Capture at the exit of the AP or the router, for instance. Less traffic to deal with, no decryption problems, and no issue with loss at the capture adapter. Port mirroring switches can be had on Amazon for $25 if your infrastructure does not support it already.