First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to use tshark to capture proof of poor wireless deployment?

Right now im limited with my tshark abilities, but the goal is to deploy linux distros like kali linux to remote locations and have staff setup in problem areas wired and reverse ssl tunnel into them and execute tshark on them over ssh. we have had too many times that the bloat of wireshark program gui locks up the system and we miss what we actually needed want to capture.

currently all i know how to do is run a simple capture filter in monitor mode on my wireless interface using the below command

tshark -i en0 -I -f "ether host <mac addy="">"

I am looking to be a bit more agnostic of the device i and trying to optimize for and look at the wireless as a whole. Such as with wireshark filters for beacon frames and retry packets, can anyone help me develop some of those tshark commands and once i see the filters and the syntax for those i should be able to figure out how to manipulate it for the other filters i am looking to apply.

VERY much appreciated if anyone can assist

downstorffleon's avatar
1
downstorffleon
asked 2019-04-26 18:21:12 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

For wireless capture filters, these page are useful to describe the different options available:

https://www.tcpdump.org/manpages/pcap-filter.7.html https://www.tcpdump.org/manpages/tcpdump.1.html http://wifinigel.blogspot.com/2018/04/wireshark-capture-filters-for-80211.html

Some examples from my notes:

Beacons for a specific bssid, last two octets of bssid only (wlan.bssid == 0c:d0:f8:95:3a:4d):

tcpdump -i wlan0 type mgt subtype beacon and wlan[20:2] == 0x3a4d

Beacons for a specific bssid, whole bssid: 

tcpdump -i wlan0 type mgt subtype beacon and wlan[16:4] == 0x0cd0f895 and wlan[20:2] == 0x3a4d

Broadcast traffic, offset method:

tshark -i wlan0 type data and wlan[4:4] == 0xffffffff and wlan[8:2] == 0xffff

Dump all bytes to count offsets (includes radiotap header - to figure out needed offsets)

    tcpdump -xx -i wlan0

802.11 Retry bit set

 Capture:   "type data and wlan[1] & 0x08 != 0"
 Display:   wlan.fc.type == 2 and wlan.fc.retry == 1

tshark -i wlan0 "type data and wlan[1] & 0x08 != 0"

There are other solutions too; for instance, probe responses and other frame types may have retries so you may not want to limit to type/data:

tshark -i wlan0 "wlan[1] & 0x08 != 0"
Bob Jones's avatar
1.5k
Bob Jones
answered 2019-04-28 13:01:54 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer