Tshark: Strip WPA Wireless Captures by ESSID wi...

CATEGORIES
Code Snippets
Errors

http://www.question-defense.com/2010/03/29/tsha...

Home Insights Tshark: Strip WPA Wireless Captures by ESSID with Tshark

Search here..

Tshark: Strip WPA Wireless Captures by ESSID with Tshark

LATEST ARTICLES

purehate March 29, 2010 Insights 13 Comments

Insights
Labs
Security

A while ago I wrote a short tutorial on how to strip down a wireless capture which contained a wpa handshake
so that only eapol packets and beacon frames where left. I have since found a little bit better way to do it so I
decided to make a new post. In the previous article I showed how to strip by wlan.mgt frames containing the

2
Tweet

mac address. The problem with this is that it strips out lots of other packets which some programs use to
check for ESSID. I looked into the issue some more and found a way to strip just by essid.

How to Congure NVFax on

FreePBX
TextMate Find & Replace Using
Regular Expressions
CentOS Remove Old Kernels

PAGES
Backtrack Linux
Consulting

If you just want the command:

tshark -r <input file>
file> -R "eapol || wlan_mgt.tag.interpretation eq <essid> || (wlan.fc.type_subtype==0x08 && wl
Obviously you have to have tshark installed for this to work.

Contact

I also had a customer for our online wpa cracker server who was having trouble stripping a capture so I decided to whip
Documentation
Kali Linux
Tags
Tools

up a quick shell script to help him out.

#!/bin/bash
echo "This script requires tshark"
echo
echo "Checking for tshark"
type tshark &>/dev/null
&>/dev/null || { echo "I require tshark but it's not installed.
echo "tshark found"
echo
echo "Moving on...."
echo
echo "Please the path to the capture (ex. /home/john/NETGEAR.cap)"
read cap_path
echo
while [ ! -f
echo
echo
echo
echo
read
done
echo
echo "Please
read essid

Aborting." >&2; exit

"$cap_path" ];do
];do
"File cannot be found or does not exist"
"Please the path to the capture (ex. /home/john/NETGEAR.cap):"
cap_path

enter the ESSID (ex. NETGEAR)"

while [ -z "$essid" ]; do
echo "You still didnt enter any data n00b"
echo
echo "Please enter the ESSID (ex. NETGEAR)"
read essid
done
echo
echo "Stripping file...."
tshark -r $cap_path -R "eapol || wlan_mgt.tag.interpretation eq $essid || (wlan.fc.type_subtype==0x08 && wlan_m
echo
echo "Your stripped file should be located in the current directory and named stripped.cap."
If you want to use this simply create a le called stripper.sh and paste this script into it.
Next make the script executable by issuing the command:
chmod 755 stripper.sh
Once you have done that simply run the script.
Example of script being run:
[root@dev-tools ~]#
~]# ./strip.sh
This script requires tshark
Checking for tshark
tshark found
Moving on....

1 de 5

06/01/15 21:42

Tshark: Strip WPA Wireless Captures by ESSID wi...

http://www.question-defense.com/2010/03/29/tsha...

Please the path to the capture (ex. /home/john/NETGEAR.cap)

/home/john/NETGEAR.cap)
/root/old.cap
/root/old.cap
Please enter the ESSID (ex. NETGEAR)
NEUF_A268
Stripping file....
file....
Running as user "root" and group "root".
"root". This could be dangerous.
Your stripped file should be located in the current directory and named stripped.cap.
TOPICS

BEACON

SHARE

CAPTURE

DATA

EAPOL

FRAME

STRIPPED

TSHARK

WPA

Previous

Next

make: yacc: Command not found

on Cent OS

no such le to load rubygems

(LoadError)

Related Posts

How To Tell Exactly How Many

Spaces A ESSID Includes Using
airodump-ng Or Wireshark

Strip WPA Capture File Down To

EAPOL Packets Based On BSSID
Instead Of ESSID

View Wireless Authentication

Type Using Wireshark In Network
Capture: PSK, WPA

There are 13 Comments.

WLAN_7E6E

8:48 PM July 11, 2011

CRACIAS
Reply

ALEX

11:05 AM April 4, 2012

Hello WLAN_7E6E,
No problem. Thanks for taking the time to leave feedback.
Thanks.
alex
Reply

PETRU

7:27 AM November 3, 2011

Yup, verrrry interesting and educational .You guys are still the best ( I mean
americans , cose Im
not an american) .
I think Il use your WPA cracker too . Till the next time, bee healty and have fun .
Reply

ALEX

2 de 5

11:09 AM April 4, 2012

06/01/15 21:42

Tshark: Strip WPA Wireless Captures by ESSID wi...

http://www.question-defense.com/2010/03/29/tsha...

Hello Petru,
Thanks for the compliment. We however support a world where all are equal
and we share the same respect for all regardless of birthplace. Sorry for the
delayed response got overwhelmed with comments and just now trying to
catch up. Anyhow hope you nd our online password audit/password cracking
services at http://tools.question-defense.com useful and valuable.
Anyhow thanks for taking the time to post feedback on our site.
Thanks.
alex
Reply

FAISAL

3:02 AM April 4, 2012

hello sir already have password in handshake capture le how can see that
password
Reply

ALEX

11:12 AM April 4, 2012

Hello faisal,
You would need to use either software such as oclHashcat+ or aircrack-ng or an
online service like ours located at http://tools.question-defense.com. Good luck
and thanks for leaving feedback!
Thanks.
alex
Reply

COMPILINGENTROPY

5:54 PM December 6, 2012

Hmm, it seems your website thinks part of my command is html. heres the
actual command (last time!):
tshark -r [input le] -R eapol || wlan_mgt.tag.interpretation eq [essid] ||
(wlan.fc.type_subtype==008 && wlan_mgt.ssid eq [essid]) && wlan.bssid == [bssid] -w
[output le]
Reply

ALEX

9:41 AM December 27, 2012

Hello compilingEntropy,
Thanks for posting this! To post code in the comments you can use the
sourcecode short code like the below with square brackets at each end [ open
... and ] close.
OPEN_BRACKETsourcecode language=BASH light=TRUECLOSE_BRACKET
code here
OPEN_BRACKET/sourcecodeCLOSEBRACKET
Or email what you want posted in the comment above and I will add it from
within the admin.
Again thanks for taking the time to make this observation.

3 de 5

06/01/15 21:42

Tshark: Strip WPA Wireless Captures by ESSID wi...

http://www.question-defense.com/2010/03/29/tsha...

Thanks.
alex
Reply

IDIOTIC

8:15 AM May 24, 2013

what an idiot way .. i have the le in WINDOWS 2gb large .. how the f*** and
why the f*** i need to do that in linux moron .. show how you do it in
windows!!!
Reply

ALEX

12:33 PM May 24, 2013

Hello idiotic,
You can feel the brilliance in your comment You dont have to do anything in
Linux or Windows for that matter and most people stripping wireless packet
captures for this purpose do and are using Linux of some type. So glad you took
the time to shine on this post. Now we can only hope that you will bless us with
your presence again.
Thanks.
alex
Reply

@MIKE

4:42 PM October 19, 2013

it doesnt work. maybe extract wpa handshake but beacon frame is missing, so
aircrack-ng will say unsupported le format.
Reply

DANIEL

10:22 PM January 26, 2014

Neither this or your old post works i keep ending up with other aps and
clients but with the ssids striped
This is the output im getting using your code:
#
1
2
3
4
5
6
7
8
9
10
11
12
13
14

BSSID
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>
<removed>

ESSID
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>
<blank>

Encryption
WPA (0 handshake)
WPA (1 handshake)
WPA (0 handshake)
WPA (0 handshake)
WPA (0 handshake)
WPA (1 handshake)
WPA (1 handshake)
WPA (0 handshake)
WPA (0 handshake)
WPA (0 handshake)
WPA (0 handshake)
EAPOL+WPA (1 handshake)
WPA (1 handshake)
WPA (1 handshake)

I got it working i changed a few things

tshark -r ../dump-01.cap -R "(eapol || (wlan.fc.type_subtype == 0x08)) && (wlan.bs
Note the brackets
Output:

4 de 5

06/01/15 21:42

Tshark: Strip WPA Wireless Captures by ESSID wi...

#

BSSID
1

<removed>

ESSID
<removed>

http://www.question-defense.com/2010/03/29/tsha...

Encryption
WPA (1 handshake)

I purposly remove the bssid and ssids from all aps the onces with didnt return any
ssid even though in the original cap le they where there
Reply

Pingback: Shell Script to Strip Wireless WPA Captures with Tshark

Leave a Reply
Name *

Email *
Captcha *
three = 15

POST COMMENT

Question Defense 2015

5 de 5

06/01/15 21:42