This site was behind a Cloudflare proxy between September 22, 2016 and February 18th, 2017 and might be subject to sensitive information leaks. See this blog post for more details.

Hi ,

I am trying to use AirPcap to sniff wireless packets using t-shark but I cannot save the capture and use a filter together

C:\Program Files\Wireshark>tshark.exe -a "duration:5" -R "wlan.fc.type_subtype = = 0x08" -i 1 -w D:tshark.cap

tshark: Read filters aren't supported when capturing and saving the captured packets.

So I use t-shark only to capture packets and later try to filter it using rawshark

C:\Program Files\Wireshark>tshark.exe -a "duration:5" -i 1 -w D:tshark.cap

C:\Program Files\Wireshark>rawshark -R "wlan.fc.type_subtype == 0x08" -d encap:105   -r d:\tshark.cap -s -p  -l

Unfortunately the output of the command makes no sense. I am trying to sniff beacons but all I get is a set of 0's

Has anyone tried filtering using tshark or rawshark.

BTW I am trying tshark because I plan to use it in automation. Pls also suggest any better way to do so if any but by command line

Regards TroubledUser

asked 10 Jun '12, 23:30

Trouble%20User's gravatar image

Trouble User
accept rate: 0%

edited 11 Jun '12, 08:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦

Hi Fellow techies ,

Thanks for your replies but it still does not solve my problem .

I still need to know how to filter packets from the capture file because once I get a capture of beacons , based on my script I may need to filter more paramters . I cannot re-run t-shark because I need a single sample of packets and then run multiple filters on them.

To quote an example : 1. I get a capture of 500 beacon packets 2. From 500 Beacons I need to check configurations of 4 "SSID" like beacon interval , capability info 3. So I cannot re-run t-shark 4 times because I am doing some changes on the AP and want to capture the info on all 4 SSID simultaneously.

So your solution on capturing packets holds true if capture needed is only beacons. But here within beacon packets I need 4 Different SSID and their info. I wish to know how to apply a filter to a capture file

Regards Troubled User

(11 Jun '12, 19:20) Trouble User

So capture your beacons and then filter the capture file:

  1. tshark.exe -a "duration:5" -i 1 -f "type mgt subtype beacon" -w D:tshark.cap
  2. tshark -r D:tshark.cap -T fields -e wlan_mgt.ssid -e wlan_mgt.fixed.capabilities

Or if you want to capture packets other than just beacons, then you can apply the display filter to the capture file afterwards:

  1. tshark.exe -a "duration:5" -i 1 -w D:tshark.cap
  2. tshark.exe -r D:tshark.cap -R "wlan.fc.type_subtype == 0x08" -T fields -e wlan_mgt.ssid -e wlan_mgt.fixed.capabilities

Refer to the tshark man page for more information.


answered 12 Jun '12, 09:23

cmaynard's gravatar image

cmaynard ♦
accept rate: 20%

edited 12 Jun '12, 09:26

If you want to see beacon frames, please try this:

tshark -r d:\tshark.cap -R "wlan.fc.type_subtype == 0x08"

The output should look similar to this:

1 0.000000 Z-Com_01:02:03 -> Broadcast 802.11 218 Beacon frame, SN=1740, FN=0, Flags=........, BI=200, SSID=WLAN_TEST



answered 11 Jun '12, 08:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 11 Jun '12, 08:44

Try using tshark instead of rawshark, as in:

`tshark -r d:\tshark.cap -R "wlan.fc.type_subtype == 0x08"`

Or, if you really only want to capture beacons, you can use a capture filter to do it instead of a display filter. I can't try this command myself at the moment, but this should work:

tshark.exe -a "duration:5" -i 1 -f "type mgt subtype beacon" -w D:tshark.cap

Unfortunately, the pcap-filter man page is not yet accessible from tcpdump's website, but you can reference it here instead:

For more helpful filtering tips related to this topic, you might also refer to Joke Snelder's "Wireless Display and Capture Filters Samples" article on lovemytool.


answered 11 Jun '12, 08:47

cmaynard's gravatar image

cmaynard ♦
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 10 Jun '12, 23:30

Seen: 6,455 times

Last updated: 12 Jun '12, 09:26

p​o​w​e​r​e​d by O​S​Q​A