Sometimes Wireshark doesn't handle large pcap files gracefully, particularly files over a few GiB. Not to mention, using display filters to find exactly what you're looking for takes a long time (and isn't scriptable).
Enter tshark - the command-line version of Wireshark. I realized that, probably since I don't use it every day, each time I use tshark I find myself googling for the right arguments and filters to use. This post is a cheat-sheet for myself to remember some handy filters; Maybe someone else will find them useful too.
Generally if I'm using tshark, it's because I need to find some interesting packets within a much larger capture file. To do this, I have tshark read in the large pcap file, apply a filter, and write the filtered packets out to a new file using a command like this:
tshark -n -r input.pcapng -w output.pcapng -Y "filter"
Some tools don't yet process the pcapng format (e.g. aircrack-ng). You can use the -F flag to tell tshark to output the older format like this:
tshark -n -r input.pcapng -w output.pcap -F pcap -Y "filter"
Note: I use the -n flag to disable name resolution, including MAC OUIs. This is so I can more easily copy/paste MAC addresses with other tools.
The table below contains some display filters for specific use cases. Note that these will work with Wireshark and tshark.
| Use Case | Filter | Notes |
|---|---|---|
| Beacons | wlan.fc.type==0 && wlan.fc.subtype==8 && wlan.ssid==WCTF_01 | Change ssid to target SSID |
| Probe Requests | wlan.fc.type==0 && wlan.fc.subtype==4 | |
| EAPOL Handshake | (wlan.ta==1a:a6:f7:31:91:48 || wlan.ra==1a:a6:f7:31:91:48) && eapol | Set ta/ra to target AP MAC |
| Data Frames | (wlan.ta==18:a6:f7:31:91:49 || wlan.ra==18:a6:f7:31:91:49) && wlan.fc.type==2 | Set ta/ra to target AP MAC |
I may add to the list above if I come across other common WiFi filters, but for now these are the ones I use most often.
Hi, ware does the protocols like DNS or HTTPS belong to the data frames?
ReplyDelete