This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using Rawshark or tshark for wireless traffic

0

Hi ,

I am trying to use AirPcap to sniff wireless packets using t-shark but I cannot save the capture and use a filter together

C:\Program Files\Wireshark>tshark.exe -a "duration:5" -R "wlan.fc.type_subtype = = 0x08" -i 1 -w D:tshark.cap

tshark: Read filters aren't supported when capturing and saving the captured packets.

So I use t-shark only to capture packets and later try to filter it using rawshark

C:\Program Files\Wireshark>tshark.exe -a "duration:5" -i 1 -w D:tshark.cap


C:\Program Files\Wireshark>rawshark -R "wlan.fc.type_subtype == 0x08" -d encap:105   -r d:\tshark.cap -s -p  -l

Unfortunately the output of the command makes no sense. I am trying to sniff beacons but all I get is a set of 0’s

Has anyone tried filtering using tshark or rawshark.

BTW I am trying tshark because I plan to use it in automation. Pls also suggest any better way to do so if any but by command line

Regards TroubledUser

asked 10 Jun ‘12, 23:30

Trouble%20User's gravatar image

Trouble User
1112
accept rate: 0%

edited 11 Jun ‘12, 08:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

Hi Fellow techies ,

Thanks for your replies but it still does not solve my problem .

I still need to know how to filter packets from the capture file because once I get a capture of beacons , based on my script I may need to filter more paramters . I cannot re-run t-shark because I need a single sample of packets and then run multiple filters on them.

To quote an example : 1. I get a capture of 500 beacon packets 2. From 500 Beacons I need to check configurations of 4 “SSID” like beacon interval , capability info 3. So I cannot re-run t-shark 4 times because I am doing some changes on the AP and want to capture the info on all 4 SSID simultaneously.

So your solution on capturing packets holds true if capture needed is only beacons. But here within beacon packets I need 4 Different SSID and their info. I wish to know how to apply a filter to a capture file

Regards Troubled User

(11 Jun ‘12, 19:20) Trouble User

3 Answers:

1

So capture your beacons and then filter the capture file:

  1. tshark.exe -a "duration:5" -i 1 -f "type mgt subtype beacon" -w D:tshark.cap
  2. tshark -r D:tshark.cap -T fields -e wlan_mgt.ssid -e wlan_mgt.fixed.capabilities

Or if you want to capture packets other than just beacons, then you can apply the display filter to the capture file afterwards:

  1. tshark.exe -a "duration:5" -i 1 -w D:tshark.cap
  2. tshark.exe -r D:tshark.cap -R "wlan.fc.type_subtype == 0x08" -T fields -e wlan_mgt.ssid -e wlan_mgt.fixed.capabilities

Refer to the tshark man page for more information.

answered 12 Jun '12, 09:23

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 12 Jun '12, 09:26

0

If you want to see beacon frames, please try this:

tshark -r d:\tshark.cap -R "wlan.fc.type_subtype == 0x08"

The output should look similar to this:

1 0.000000 Z-Com_01:02:03 -> Broadcast 802.11 218 Beacon frame, SN=1740, FN=0, Flags=........, BI=200, SSID=WLAN_TEST

Regards
Kurt

answered 11 Jun '12, 08:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 11 Jun '12, 08:44

0

Try using tshark instead of rawshark, as in:

`tshark -r d:\tshark.cap -R "wlan.fc.type_subtype == 0x08"`

Or, if you really only want to capture beacons, you can use a capture filter to do it instead of a display filter. I can't try this command myself at the moment, but this should work:

tshark.exe -a "duration:5" -i 1 -f "type mgt subtype beacon" -w D:tshark.cap

Unfortunately, the pcap-filter man page is not yet accessible from tcpdump's website, but you can reference it here instead: http://www.manpagez.com/man/7/pcap-filter/.

For more helpful filtering tips related to this topic, you might also refer to Joke Snelder's "Wireless Display and Capture Filters Samples" article on lovemytool.

answered 11 Jun '12, 08:47

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%