Revision history [back]

tshark capture and filter HTTP in WPA2 secured network

I want to capture HTTP traffic of WPA/WPA2 secured network through Alfa adapter, put in a monitor mode, Since, without any capture filter, file size grows quite fast, I want to save only HTTP and EAPOL handshakes to be able to decrypt HTTP packets. I suppose, the filter option should be

tshark -i wlan0mon -f "ether proto 0x888e or tcp port 80" -w tshark.pcap

But tcp port 80 filter works well only in open wifi. In WPA2, it filters out all packets. What options do I have? Or rather what filters might I use to capture as little irrelevant packets (not HTTP or not EAPOL) as possible in WPA network?

tshark capture and filter HTTP in WPA2 secured network

tshark -i wlan0mon -f "ether proto 0x888e or tcp port 80" -w tshark.pcap

Update

The goal is to monitor which unsecured HTTP sites nearby users of some AP of a particular channel visit. For a reliable estimate, statistics should be gathered for a few hours / a day. Users might connect and disconnect at any time so I don't know their MACs beforehand. However, if I don't use any capture filter, or for example drop beacons only (wlan[0] != 0x80), I often see "TCP previous segment not captured" and "TCP ACKed unseen segment". Using wlan host <MAC> results in a more stable capture. But as I've already said, I might not know all potential users' MACs since not all clients might be connected. Wired capture is not an option.