tshark Use in Wireless Networking

Check out these great references as well:

 Our custom profiles repository for Wireshark
 Our Udemy course on Wireshark 
 Our Udemy course on Wireless Packet capture

As those who have studied our Wireless Profile (available from the Profile Repository) know, there are a number of great display filters used to hunt down issues on Wireless LAN’s.  For example, when you see a lot of Disassociations and Deauthentications, there may be trouble brewing within the WLAN.  Perhaps those events are being caused by a malicious source, and not the Access Point.

On a recent troubleshoot, we wanted to only capture when those events occurred, so instead of using a display filter, we wanted to use a capture filter.

Here is how I solved the problem.  I used tshark.

To start, I opened Windows Powershell (I am trying to teach myself to use Powershell more than CMD, but like anyone else who has used Microsoft since before Windows, I struggle!) and with my AirPcap interface plugged in checked to make sure I could see the interface.  You will see below that first I changed directory to the Wireshark program directory (in Powershell you have to put the command in quotes when there is a ‘space’ in the path), then I ran T-Shark to display the current interfaces (again a Powershell thing, you have to start the command with ‘./’ tyo get it to execute):

wlantshark1

We clearly see that it is the first interface in the list.

Now we can issue the following command:

tshark -i 1 -f "subtype deauth or subtype disassoc"

The result (I let it run for a little while, CTRL-C will stop):

wlantshark2

How cool is that??  We can quickly see the MAC addresses involved (they should match systems I am expecting to send these packets, else I have an intruder).

There is so much more you can do with T-Shark using this type of capture filter procedure.  Keep in mind this is Berkeley Packet Filter (BPF) syntax and a good reference for the syntax can be found here.

To see some of our other tshark articles – look here.

Let us know what other clever tshark uses you come up with.

Comments are welcomed below from registered users.  You can also leave comments at our Discord server

If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!

Leave a Comment

Contact Us Here


Please verify.
Validation complete :)
Validation failed :(
 
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.
Scroll to Top