Professional Documents
Culture Documents
CATEGORIES
Code Snippets
Errors
http://www.question-defense.com/2010/03/29/tsha...
Home Insights Tshark: Strip WPA Wireless Captures by ESSID with Tshark
Search here..
LATEST ARTICLES
A while ago I wrote a short tutorial on how to strip down a wireless capture which contained a wpa handshake
so that only eapol packets and beacon frames where left. I have since found a little bit better way to do it so I
decided to make a new post. In the previous article I showed how to strip by wlan.mgt frames containing the
2
Tweet
mac address. The problem with this is that it strips out lots of other packets which some programs use to
check for ESSID. I looked into the issue some more and found a way to strip just by essid.
PAGES
Backtrack Linux
Consulting
Contact
I also had a customer for our online wpa cracker server who was having trouble stripping a capture so I decided to whip
Documentation
Kali Linux
Tags
Tools
"$cap_path" ];do
];do
"File cannot be found or does not exist"
"Please the path to the capture (ex. /home/john/NETGEAR.cap):"
cap_path
while [ -z "$essid" ]; do
echo "You still didnt enter any data n00b"
echo
echo "Please enter the ESSID (ex. NETGEAR)"
read essid
done
echo
echo "Stripping file...."
tshark -r $cap_path -R "eapol || wlan_mgt.tag.interpretation eq $essid || (wlan.fc.type_subtype==0x08 && wlan_m
echo
echo "Your stripped file should be located in the current directory and named stripped.cap."
If you want to use this simply create a le called stripper.sh and paste this script into it.
Next make the script executable by issuing the command:
chmod 755 stripper.sh
Once you have done that simply run the script.
Example of script being run:
[root@dev-tools ~]#
~]# ./strip.sh
This script requires tshark
Checking for tshark
tshark found
Moving on....
1 de 5
06/01/15 21:42
http://www.question-defense.com/2010/03/29/tsha...
BEACON
SHARE
CAPTURE
DATA
EAPOL
FRAME
STRIPPED
TSHARK
WPA
Previous
Next
Related Posts
WLAN_7E6E
CRACIAS
Reply
ALEX
Hello WLAN_7E6E,
No problem. Thanks for taking the time to leave feedback.
Thanks.
alex
Reply
PETRU
Yup, verrrry interesting and educational .You guys are still the best ( I mean
americans , cose Im
not an american) .
I think Il use your WPA cracker too . Till the next time, bee healty and have fun .
Reply
ALEX
2 de 5
06/01/15 21:42
http://www.question-defense.com/2010/03/29/tsha...
Hello Petru,
Thanks for the compliment. We however support a world where all are equal
and we share the same respect for all regardless of birthplace. Sorry for the
delayed response got overwhelmed with comments and just now trying to
catch up. Anyhow hope you nd our online password audit/password cracking
services at http://tools.question-defense.com useful and valuable.
Anyhow thanks for taking the time to post feedback on our site.
Thanks.
alex
Reply
FAISAL
hello sir already have password in handshake capture le how can see that
password
Reply
ALEX
Hello faisal,
You would need to use either software such as oclHashcat+ or aircrack-ng or an
online service like ours located at http://tools.question-defense.com. Good luck
and thanks for leaving feedback!
Thanks.
alex
Reply
COMPILINGENTROPY
Hmm, it seems your website thinks part of my command is html. heres the
actual command (last time!):
tshark -r [input le] -R eapol || wlan_mgt.tag.interpretation eq [essid] ||
(wlan.fc.type_subtype==008 && wlan_mgt.ssid eq [essid]) && wlan.bssid == [bssid] -w
[output le]
Reply
ALEX
Hello compilingEntropy,
Thanks for posting this! To post code in the comments you can use the
sourcecode short code like the below with square brackets at each end [ open
... and ] close.
OPEN_BRACKETsourcecode language=BASH light=TRUECLOSE_BRACKET
code here
OPEN_BRACKET/sourcecodeCLOSEBRACKET
Or email what you want posted in the comment above and I will add it from
within the admin.
Again thanks for taking the time to make this observation.
3 de 5
06/01/15 21:42
http://www.question-defense.com/2010/03/29/tsha...
Thanks.
alex
Reply
IDIOTIC
what an idiot way .. i have the le in WINDOWS 2gb large .. how the f*** and
why the f*** i need to do that in linux moron .. show how you do it in
windows!!!
Reply
ALEX
Hello idiotic,
You can feel the brilliance in your comment You dont have to do anything in
Linux or Windows for that matter and most people stripping wireless packet
captures for this purpose do and are using Linux of some type. So glad you took
the time to shine on this post. Now we can only hope that you will bless us with
your presence again.
Thanks.
alex
Reply
@MIKE
it doesnt work. maybe extract wpa handshake but beacon frame is missing, so
aircrack-ng will say unsupported le format.
Reply
DANIEL
Neither this or your old post works i keep ending up with other aps and
clients but with the ssids striped
This is the output im getting using your code:
#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
BSSID
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
ESSID
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
Encryption
WPA (0 handshake)
WPA (1 handshake)
WPA (0 handshake)
WPA (0 handshake)
WPA (0 handshake)
WPA (1 handshake)
WPA (1 handshake)
WPA (0 handshake)
WPA (0 handshake)
WPA (0 handshake)
WPA (0 handshake)
EAPOL+WPA (1 handshake)
WPA (1 handshake)
WPA (1 handshake)
4 de 5
06/01/15 21:42
BSSID
1
<removed>
ESSID
<removed>
http://www.question-defense.com/2010/03/29/tsha...
Encryption
WPA (1 handshake)
I purposly remove the bssid and ssids from all aps the onces with didnt return any
ssid even though in the original cap le they where there
Reply
Leave a Reply
Name *
Email *
Captcha *
three = 15
POST COMMENT
5 de 5
06/01/15 21:42