get active users from pcap file
After capture wireless traffic to pcap file, what filter should I apply to get the list of active users connected to an access point?
asked 2018-03-06 14:57:36 +0000
This post is a wiki. Anyone with karma >750 is welcome to improve it.
After capture wireless traffic to pcap file, what filter should I apply to get the list of active users connected to an access point?
The easiest answer is to use a managed wifi infrastructure and it will likely just tell you how many clients are currently connected to an AP and the whole system (if you have more than one AP). Sometimes, even standalone APs will tell about all the clients connected. This is a definitive source.
The harder way is to use a wireless packet capture. If you have a single SSID configured, find the BSSID and filter for this; the endpoints tool, with 'limit to display filter' and selecting for 802.11, is useful here.
See https://ask.wireshark.org/question/1918/how-to-detect-packets-only-from-devices-connected-to-my-wifi/ and also probably many other questions.
And for the Endpoints tool, see Statistics --> Endpoints
If you happen to have more than one SSID hosted on an AP, then it depends on what you want. If you only care about who is connected to a particular SSID, then the above is fine. If, as you ask, you want to know how many actual clients are connected to a given AP, regardless of SSID, then it can be tricky. There are techniques, but you have to figure out how your platform assigns BSSIDs to the various SSIDs - it's a common misconception that they all just change the last byte. Some do this, but certainly not all. Others change different bytes in the MAC address so we would have to reverse engineer this pattern, then work up some display filters that are consistent with these platforms.
Before using the endpoint tool you would need to have a good filter in place, as in the linked question provided. The problem with IPs and WiFi is that they are usually encrypted; it is possible to run WiFi without encryption but it is generally a bad idea. But yes, if you are running unencrypted, then the IP address is a good indication of the number of clients connected.
If encrypted, you would be counting MAC addresses. Either way should be reasonable.
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2018-03-06 14:57:36 +0000
Seen: 3,569 times
Last updated: Mar 06 '18
Capture incoming packets from remote web server
How to filter out TCP retransmissions
Using tshark filters to extract only interesting traffic from 12GB trace
Capture Filters - SSL Handshake or HEX
Computer compromised through Steam personal/financial information stolen HELP [closed]
Is it possible to test a capture filter with already captured traffic?