Ask Your Question
0

How to use tshark to capture proof of poor wireless deployment?

asked 2019-04-26 18:21:12 +0000

downstorffleon gravatar image

Right now im limited with my tshark abilities, but the goal is to deploy linux distros like kali linux to remote locations and have staff setup in problem areas wired and reverse ssl tunnel into them and execute tshark on them over ssh. we have had too many times that the bloat of wireshark program gui locks up the system and we miss what we actually needed want to capture.

currently all i know how to do is run a simple capture filter in monitor mode on my wireless interface using the below command

tshark -i en0 -I -f "ether host <mac addy="">"

I am looking to be a bit more agnostic of the device i and trying to optimize for and look at the wireless as a whole. Such as with wireshark filters for beacon frames and retry packets, can anyone help me develop some of those tshark commands and once i see the filters and the syntax for those i should be able to figure out how to manipulate it for the other filters i am looking to apply.

VERY much appreciated if anyone can assist

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-04-28 13:01:54 +0000

Bob Jones gravatar image

For wireless capture filters, these page are useful to describe the different options available:

https://www.tcpdump.org/manpages/pcap-filter.7.html https://www.tcpdump.org/manpages/tcpdump.1.html http://wifinigel.blogspot.com/2018/04/wireshark-capture-filters-for-80211.html

Some examples from my notes:

Beacons for a specific bssid, last two octets of bssid only (wlan.bssid == 0c:d0:f8:95:3a:4d):

tcpdump -i wlan0 type mgt subtype beacon and wlan[20:2] == 0x3a4d

Beacons for a specific bssid, whole bssid: 

tcpdump -i wlan0 type mgt subtype beacon and wlan[16:4] == 0x0cd0f895 and wlan[20:2] == 0x3a4d

Broadcast traffic, offset method:

tshark -i wlan0 type data and wlan[4:4] == 0xffffffff and wlan[8:2] == 0xffff

Dump all bytes to count offsets (includes radiotap header - to figure out needed offsets)

    tcpdump -xx -i wlan0

802.11 Retry bit set

 Capture:   "type data and wlan[1] & 0x08 != 0"
 Display:   wlan.fc.type == 2 and wlan.fc.retry == 1

tshark -i wlan0 "type data and wlan[1] & 0x08 != 0"

There are other solutions too; for instance, probe responses and other frame types may have retries so you may not want to limit to type/data:

tshark -i wlan0 "wlan[1] & 0x08 != 0"
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-04-26 18:21:12 +0000

Seen: 1,506 times

Last updated: Apr 28 '19

Related questions

only seeing acks with tshark

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Data packets not captured

Any way to use cmd tshark for a gns3 wire?

Computer compromised through Steam personal/financial information stolen HELP [closed]

authority RRs tshark

can I install only tshark?

Wireless controls are not supported in this version of wireshark

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2