A while ago I wrote a short tutorial on how to strip down a wireless capture which contained a wpa handshake so that only eapol packets and beacon frames where left. I have since found a little bit better way to do it so I decided to make a new post. In the previous article I showed how to strip by wlan.mgt frames containing the mac address. The problem with this is that it strips out lots of other packets which some programs use to check for ESSID.  I looked into the issue some more and found a way to strip just by essid.

If you just want the command:

tshark -r <input file> -R "eapol || wlan_mgt.tag.interpretation eq <essid>" -w <output file>

Obviously you have to have tshark installed for this to work.

I also had a customer for our online wpa cracker server who was having trouble stripping a capture so I decided to whip up a quick shell script to help him out.

#!/bin/bash
echo "This script requires tshark"
echo
echo "Checking for tshark"
type -P tshark &>/dev/null || { echo "I require tshark but it's not installed.  Aborting." >&2; exit 1; }
echo "tshark found"
echo
echo "Moving on...."
echo
echo "Please the path to the capture (ex. /home/john/NETGEAR.cap)"
read cap_path
echo

while [ ! -f "$cap_path" ];do
        echo
        echo "File cannot be found or does not exist"
        echo
        echo "Please the path to the capture (ex. /home/john/NETGEAR.cap):"
        read cap_path
done
echo
echo "Please enter the ESSID (ex. NETGEAR)"
read essid

while [ -z "$essid" ]; do
        echo "You still didnt enter any data n00b"
        echo
        echo "Please enter the ESSID (ex. NETGEAR)"
        read essid

done
echo
echo "Stripping file...."
tshark -r $cap_path -R "eapol || wlan_mgt.tag.interpretation eq $essid" -w stripped.cap
echo
echo "Your stripped file should be located in the current directory and named stripped.cap."

If you want to use this simply create a file called stripper.sh and paste this script into it.

Next make the script executable by issuing the command:

chmod 755 stripper.sh

Once you have done that simply run the script.

Example of script being run:

[root@dev-tools ~]# ./strip.sh
This script requires tshark

Checking for tshark
tshark found

Moving on....

Please the path to the capture (ex. /home/john/NETGEAR.cap)
/root/old.cap

Please enter the ESSID (ex. NETGEAR)
NEUF_A268

Stripping file....
Running as user "root" and group "root". This could be dangerous.

Your stripped file should be located in the current directory and named stripped.cap.

Related posts:

1. How to Merge Multiple WLAN (IEEE 802.11) Captures into One File I recently had a customer upload a WPA capture to...
2. Scramble the BSSID in a Wireless Capture to Keep Your Self Anonymous I have had lots of people email me and ask...
3. Install tshark On CentOS Linux Using The Yum Package Manager I use tshark sometimes to strip down packet captures based...
4. Windows XP on Dell D420 Wireless Showing No Wireless Networks In Range Recently I removed the Intel Pro Wireless Manager from my...
5. Copy and Paste Screen Captures Into Photoshop Not Working, Adobe Photoshop CS4 Clipboard Problem Recently I was trying to paste a screenshot created using...

This entry was posted on Monday, March 29th, 2010 at 5:17 PM and is filed under Insights. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.