Hi Wiresharkteam, Actually we are looking for commands line option in tshark to enable Initialization Vector from Ignore protection bit list in wireshark GUI. I would be a lot of help to US.Could you please help with this.
Similar question: Display decrypted WLAN traffic that has the Protected bit set
Screenshot of preference in the Wireshark gui: Wi-Fi (WLAN, IEEE 802.11)
Setting an option on the command line with tshark:
-o <preference>:<value> Set a preference value, overriding the default value and any value read from a preference file. The argument to the option is a string of the form prefname:value, where prefname is the name of the preference (which is the same name that would appear in the preference file), and value is the value to which it should be set.
The preference is wlan.ignore_wep defined in dissectors/packet-ieee80211.c:
prefs_register_enum_preference(wlan_module, "ignore_wep",
"Ignore the Protection bit",
"Some 802.11 cards leave the Protection bit set even though the packet is decrypted, "
"and some also leave the IV (initialization vector).",
&wlan_ignore_prot, wlan_ignore_prot_options, TRUE);
The valid values are defined here:
static const enum_val_t wlan_ignore_prot_options[] = {
{ "no", "No", WLAN_IGNORE_PROT_NO },
{ "without_iv", "Yes - without IV", WLAN_IGNORE_PROT_WO_IV },
{ "with_iv", "Yes - with IV", WLAN_IGNORE_PROT_W_IV },
{ NULL, NULL, 0 }
};
Tested with Wireshark to see the setting in preferences gui:
C:\>wireshark -o wlan.ignore_wep:without_iv C:\>wireshark -o wlan.ignore_wep:with_iv C:\>wireshark -o wlan.ignore_wep:no
Unfortunately, the documentation on preferences isn't very good, where "isn't very good" means "close to nonexistent"; I filed a bug on that many years ago.
Thanks Chuckc,
That helped us a lot. Here is my filter I am using its working fine. tshark -r C:/16.x.x.pcap -o wlan.ignore_wep:with_iv -n -Y (icmp.type == 8) && (ip.dst == 192.168.1.1) && (ip.src == 192.168.1.241) -w C:/temp.pcap
Comments