Ask Your Question

How to use tshark to capture proof of poor wireless deployment?

asked 2019-04-26 18:21:12 +0000

downstorffleon gravatar image

Right now im limited with my tshark abilities, but the goal is to deploy linux distros like kali linux to remote locations and have staff setup in problem areas wired and reverse ssl tunnel into them and execute tshark on them over ssh. we have had too many times that the bloat of wireshark program gui locks up the system and we miss what we actually needed want to capture.

currently all i know how to do is run a simple capture filter in monitor mode on my wireless interface using the below command

tshark -i en0 -I -f "ether host <mac addy="">"

I am looking to be a bit more agnostic of the device i and trying to optimize for and look at the wireless as a whole. Such as with wireshark filters for beacon frames and retry packets, can anyone help me develop some of those tshark commands and once i see the filters and the syntax for those i should be able to figure out how to manipulate it for the other filters i am looking to apply.

VERY much appreciated if anyone can assist

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-04-28 13:01:54 +0000

Bob Jones gravatar image

For wireless capture filters, these page are useful to describe the different options available:

Some examples from my notes:

Beacons for a specific bssid, last two octets of bssid only (wlan.bssid == 0c:d0:f8:95:3a:4d):

tcpdump -i wlan0 type mgt subtype beacon and wlan[20:2] == 0x3a4d

Beacons for a specific bssid, whole bssid:

tcpdump -i wlan0 type mgt subtype beacon and wlan[16:4] == 0x0cd0f895 and wlan[20:2] == 0x3a4d

Broadcast traffic, offset method:

tshark -i wlan0 type data and wlan[4:4] == 0xffffffff and wlan[8:2] == 0xffff

Dump all bytes to count offsets (includes radiotap header - to figure out needed offsets)

    tcpdump -xx -i wlan0

802.11 Retry bit set

 Capture:   "type data and wlan[1] & 0x08 != 0"
 Display:   wlan.fc.type == 2 and wlan.fc.retry == 1

tshark -i wlan0 "type data and wlan[1] & 0x08 != 0"

There are other solutions too; for instance, probe responses and other frame types may have retries so you may not want to limit to type/data:

tshark -i wlan0 "wlan[1] & 0x08 != 0"
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2019-04-26 18:21:12 +0000

Seen: 1,730 times

Last updated: Apr 28 '19