Ask Your Question

dizcza's profile - activity

2019-08-05 18:09:50 +0000 received badge  Popular Question (source)
2019-04-16 16:18:54 +0000 commented answer tshark capture and filter HTTP in WPA2 secured network

Is there a way not to filter by mac in wlan addr1/addr2? Something like wlan addr1 *?

2019-04-13 08:34:01 +0000 commented answer tshark capture and filter HTTP in WPA2 secured network

it may only work on capture files already collected, not decrypt --> filter --> store. Yes, it makes sense. I

2019-04-13 08:33:30 +0000 commented answer tshark capture and filter HTTP in WPA2 secured network

it may only work on capture files already collected, not decrypt --> filter --> store. Yes, it makes sense. I

2019-04-13 08:33:16 +0000 commented answer tshark capture and filter HTTP in WPA2 secured network

it may only work on capture files already collected, not decrypt --> filter --> store. Ye

2019-04-13 08:23:00 +0000 commented answer tshark capture and filter HTTP in WPA2 secured network

I suppose this is the same as wlan host <mac1> or wlan host <mac2>? I don't see such a filter in CaptureFilt

2019-04-13 08:21:35 +0000 marked best answer tshark capture and filter HTTP in WPA2 secured network

I want to capture HTTP traffic of WPA/WPA2 secured network through Alfa adapter, put in a monitor mode, Since, without any capture filter, file size grows quite fast, I want to save only HTTP and EAPOL handshakes to be able to decrypt HTTP packets. I suppose, the filter option should be

tshark -i wlan0mon -f "ether proto 0x888e or tcp port 80" -w tshark.pcap

But tcp port 80 filter works well only in open wifi. In WPA2, it filters out all packets. What options do I have? Or rather what filters might I use to capture as little irrelevant packets (not HTTP or not EAPOL) as possible in WPA network?

Update

The goal is to monitor which unsecured HTTP sites nearby users of some AP of a particular channel visit. For a reliable estimate, statistics should be gathered for a few hours / a day. Users might connect and disconnect at any time so I don't know their MACs beforehand. However, if I don't use any capture filter, or for example drop beacons only (wlan[0] != 0x80), I often see "TCP previous segment not captured" and "TCP ACKed unseen segment". Using wlan host <MAC> results in a more stable capture. But as I've already said, I might not know all potential users' MACs since not all clients might be connected. Wired capture is not an option.

2019-04-13 08:21:35 +0000 received badge  Scholar (source)
2019-04-13 08:21:25 +0000 edited question tshark capture and filter HTTP in WPA2 secured network

tshark capture and filter HTTP in WPA2 secured network I want to capture HTTP traffic of WPA/WPA2 secured network throug

2019-04-12 15:54:49 +0000 asked a question tshark capture and filter HTTP in WPA2 secured network

tshark capture and filter HTTP in WPA2 secured network I want to capture HTTP traffic of WPA/WPA2 secured network throug

2019-04-12 08:39:40 +0000 commented question Cannot decrypt POST requests in monitor mode

@Bob, thank you for helping me. The issue appeared to be not persistent. For whatever reasons, yesterday I tried airodum

2019-04-12 08:39:05 +0000 commented question Cannot decrypt POST requests in monitor mode

@Bob, thank you for helping me. The issue appeared to be not persistent. For whatever reasons, yesterday I tried airodum

2019-04-12 08:31:58 +0000 edited question Cannot decrypt POST requests in monitor mode

Cannot decrypt POST requests in monitor mode Hello, wireshark community. I put Alfa adapter in monitor mode and ran airo

2019-04-12 08:27:22 +0000 commented question Cannot decrypt POST requests in monitor mode

@Bob, thank you for helping me. The issue appeared to be not persistent. For whatever reasons, yesterday I tried airodum

2019-04-11 08:24:15 +0000 edited question Cannot decrypt POST requests in monitor mode

Cannot decrypt POST requests in monitor mode Hello, wireshark community. I put Alfa adapter in monitor mode and ran airo

2019-04-11 07:39:20 +0000 received badge  Editor (source)
2019-04-11 07:39:20 +0000 edited question Cannot decrypt POST requests in monitor mode

Cannot decrypt POST requests in monitor mode Hello, wireshark community. I put Alfa adapter in monitor mode and ran airo

2019-04-10 14:16:11 +0000 commented question Cannot decrypt POST requests in monitor mode

@Bob, No while in monitor mode and yes in managed mode.

2019-04-10 11:45:24 +0000 commented question Cannot decrypt POST requests in monitor mode

I can see POST requests in wireshark through the same interface in managed mode.

2019-04-10 05:47:32 +0000 asked a question Cannot decrypt POST requests in monitor mode

Cannot decrypt POST requests in monitor mode Hello, wireshark community. I put Alfa adapter in monitor mode and ran airo