Ask Your Question
0

best display filter to find open wifi networks?

asked 2019-03-12 03:15:03 +0000

dega gravatar image

I can't find a systematic way to identify a open wifi network.

Please help

Will your solution be compatible with WPA3?

Thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-03-12 23:46:51 +0000

Bob Jones gravatar image

I have had luck with this filter:

wlan.fixed.capabilities.privacy == 0

I haven't run WPA3 yet so don't know if it will be compatible or not. I suspect it will, but until tested, I can't be sure. This would pick up beacons with hidden SSIDs, so more information might come from Probe Responses that have this set like the SSID name. But, realistically, if the network is open with no security hiding the SSID is not going to help much (really at all).

Alternatively, you could look for management frames like beacons and probe responses that don't contain information elements related to WPA and RSN. But you would still have WEP to deal with to identify all open networks.

edit flag offensive delete link more

Comments

Thank Bob for your answer "fixed" do not exist as an attribute in my version (2.2.17). Do I need a special plugin? There should be a simpler answer since simple programs are able to display an open padlock without requiring a plugin.

dega gravatar imagedega ( 2019-03-13 12:59:55 +0000 )edit

No plugin should be needed.

Not knowing why you need to stay on a dated version, I suggest you upgrade. If you can't/won't, then it useful to know that filter syntax comes and goes, as this link documents:

https://www.wireshark.org/docs/dfref/#section_w

I have found the same field in a 1.9.x version we have (for a specific use case) as

wlan_mgt.fixed.capabilities.privacy

Per the docs, this is valid for version:

1.0.0 to 2.2.17
Bob Jones gravatar imageBob Jones ( 2019-03-13 13:18:23 +0000 )edit

Thanks again Bob
The "_mgt" was missing in your first answer. Now your solution works.
The description presented by Wireshark dissector is very misleading ("Privacy: AP/STA cannot support WEP"). It was an appropriate description in 2002 but the latest edition of 802-11 do not mention WEP anymore. The bit now means "encryption required" and is only used by AP (not STA).

But I feel there is a distinction between "unencrypted" and "open" A network may be unencrypted but require a login password.
So, my initial question is still unresolved.
But thanks anyway. I learned about the privacy attribute.

dega gravatar imagedega ( 2019-03-13 22:11:40 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-03-12 03:15:03 +0000

Seen: 2,650 times

Last updated: Mar 12 '19