|
Check out these great references as well: |
| Our custom profiles repository for Wireshark |
| Our Udemy course on Wireshark |
| Our Udemy course on Wireless Packet capture |
As those who have studied our Wireless Profile (available from the Profile Repository) know, there are a number of great display filters used to hunt down issues on Wireless LAN’s. For example, when you see a lot of Disassociations and Deauthentications, there may be trouble brewing within the WLAN. Perhaps those events are being caused by a malicious source, and not the Access Point.
On a recent troubleshoot, we wanted to only capture when those events occurred, so instead of using a display filter, we wanted to use a capture filter.
Here is how I solved the problem. I used tshark.
To start, I opened Windows Powershell (I am trying to teach myself to use Powershell more than CMD, but like anyone else who has used Microsoft since before Windows, I struggle!) and with my AirPcap interface plugged in checked to make sure I could see the interface. You will see below that first I changed directory to the Wireshark program directory (in Powershell you have to put the command in quotes when there is a ‘space’ in the path), then I ran T-Shark to display the current interfaces (again a Powershell thing, you have to start the command with ‘./’ tyo get it to execute):
We clearly see that it is the first interface in the list.
Now we can issue the following command:
tshark -i 1 -f "subtype deauth or subtype disassoc"
The result (I let it run for a little while, CTRL-C will stop):
How cool is that?? We can quickly see the MAC addresses involved (they should match systems I am expecting to send these packets, else I have an intruder).
There is so much more you can do with T-Shark using this type of capture filter procedure. Keep in mind this is Berkeley Packet Filter (BPF) syntax and a good reference for the syntax can be found here.
To see some of our other tshark articles – look here.
Let us know what other clever tshark uses you come up with.
Comments are welcomed below from registered users. You can also leave comments at our Discord server.
If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!