A while ago I wrote a short tutorial on how to strip down a wireless capture which contained a wpa handshake so that only eapol packets and beacon frames where left. I have since found a little bit better way to do it so I decided to make a new post. In the previous article I showed how to strip by wlan.mgt frames containing the mac address. The problem with this is that it strips out lots of other packets which some programs use to check for ESSID.  I looked into the issue some more and found a way to strip just by essid.


If you just want the command:

tshark -r <input file> -R "eapol || wlan_mgt.tag.interpretation eq <essid> || (wlan.fc.type_subtype==0x08 && wlan_mgt.ssid eq <essid>)" -w <output file>

Obviously you have to have tshark installed for this to work.

I also had a customer for our online wpa cracker server who was having trouble stripping a capture so I decided to whip up a quick shell script to help him out.

#!/bin/bash
echo "This script requires tshark"
echo
echo "Checking for tshark"
type tshark &>/dev/null || { echo "I require tshark but it's not installed.  Aborting." >&2; exit 1; }
echo "tshark found"
echo
echo "Moving on...."
echo
echo "Please the path to the capture (ex. /home/john/NETGEAR.cap)"
read cap_path
echo

while [ ! -f "$cap_path" ];do
        echo
        echo "File cannot be found or does not exist"
        echo
        echo "Please the path to the capture (ex. /home/john/NETGEAR.cap):"
        read cap_path
done
echo
echo "Please enter the ESSID (ex. NETGEAR)"
read essid

while [ -z "$essid" ]; do
        echo "You still didnt enter any data n00b"
        echo
        echo "Please enter the ESSID (ex. NETGEAR)"
        read essid

done
echo
echo "Stripping file...."
tshark -r $cap_path -R "eapol || wlan_mgt.tag.interpretation eq $essid || (wlan.fc.type_subtype==0x08 && wlan_mgt.ssid eq $essid)" -w stripped.cap
echo
echo "Your stripped file should be located in the current directory and named stripped.cap."

If you want to use this simply create a file called stripper.sh and paste this script into it.

Next make the script executable by issuing the command:

chmod 755 stripper.sh

Once you have done that simply run the script.

Example of script being run:

[root@dev-tools ~]# ./strip.sh
This script requires tshark

Checking for tshark
tshark found

Moving on....

Please the path to the capture (ex. /home/john/NETGEAR.cap)
/root/old.cap

Please enter the ESSID (ex. NETGEAR)
NEUF_A268

Stripping file....
Running as user "root" and group "root". This could be dangerous.

Your stripped file should be located in the current directory and named stripped.cap.
DeliciousStumbleUponDiggTwitterFacebookRedditLinkedInEmail
Tags: , , , , , , ,
13 Responses to “Tshark: Strip WPA Wireless Captures by ESSID with Tshark”
  1. WLAN_7E6E says:

    CRACIAS

    [Reply]

    alex Reply:

    Hello WLAN_7E6E,

    No problem. Thanks for taking the time to leave feedback.

    Thanks.
    alex

    [Reply]

  2. Petru says:

    Yup, verrrry interesting and educational .You guys are still the best ( I mean americans , cose I´m
    not an american) .
    I think I´l use your WPA cracker too . Till the next time, bee healty and have fun .

    [Reply]

    alex Reply:

    Hello Petru,

    Thanks for the compliment. We however support a world where all are equal and we share the same respect for all regardless of birthplace. Sorry for the delayed response… got overwhelmed with comments and just now trying to catch up. Anyhow hope you find our online password audit/password cracking services at http://tools.question-defense.com useful and valuable.

    Anyhow thanks for taking the time to post feedback on our site.

    Thanks.
    alex

    [Reply]

  3. faisal says:

    hello sir already have password in handshake capture file how can see that password

    [Reply]

    alex Reply:

    Hello faisal,

    You would need to use either software such as oclHashcat+ or aircrack-ng or an online service like ours located at http://tools.question-defense.com. Good luck and thanks for leaving feedback!

    Thanks.
    alex

    [Reply]

  4. compilingEntropy says:

    Hmm, it seems your website thinks part of my command is html. here’s the actual command (last time!):

    tshark -r [input file] -R “eapol || wlan_mgt.tag.interpretation eq [essid] || (wlan.fc.type_subtype==0×08 && wlan_mgt.ssid eq [essid]) && wlan.bssid == [bssid]” -w [output file]

    [Reply]

    alex Reply:

    Hello compilingEntropy,

    Thanks for posting this! To post code in the comments you can use the sourcecode short code like the below with square brackets at each end… [ open ... and ] close.

    OPEN_BRACKETsourcecode language=”BASH” light=”TRUECLOSE_BRACKET
    code here
    OPEN_BRACKET/sourcecodeCLOSEBRACKET

    Or email what you want posted in the comment above and I will add it from within the admin.

    Again thanks for taking the time to make this observation.

    Thanks.
    alex

    [Reply]

  5. idiotic says:

    what an idiot way .. i have the file in WINDOWS 2gb large .. how the f*** and why the f*** i need to do that in linux moron .. show how you do it in windows!!!

    [Reply]

    alex Reply:

    Hello idiotic,

    You can feel the brilliance in your comment… You don’t have to do anything in Linux or Windows for that matter and most people stripping wireless packet captures for this purpose do and are using Linux of some type. So glad you took the time to shine on this post. Now we can only hope that you will bless us with your presence again.

    Thanks.
    alex

    [Reply]

  6. @mike says:

    it doesn’t work. maybe extract wpa handshake but beacon frame is missing, so aircrack-ng will say unsupported file format.

    [Reply]

  7. Daniel says:

    Neither this or your old post works i keep ending up with other aps and clients but with the ssid’s striped

    This is the output i’m getting using your code:

       #  BSSID              ESSID                     Encryption
    
       1  <removed>      <blank>                  WPA (0 handshake)
       2  <removed>      <blank>                  WPA (1 handshake)
       3  <removed>      <blank>                  WPA (0 handshake)
       4  <removed>      <blank>                  WPA (0 handshake)
       5  <removed>      <blank>                  WPA (0 handshake)
       6  <removed>      <blank>                  WPA (1 handshake)
       7  <removed>      <blank>                  WPA (1 handshake)
       8  <removed>      <blank>                  WPA (0 handshake)
       9   <removed>     <blank>                  WPA (0 handshake)
      10  <removed>     <blank>                  WPA (0 handshake)
      11   <removed>     <blank>                  WPA (0 handshake)
      12  <removed>      <blank>                 EAPOL+WPA (1 handshake)
      13  <removed>      <blank>                 WPA (1 handshake)
      14  <removed>      <blank>                 WPA (1 handshake)
    

    I got it working i changed a few things

    tshark -r ../dump-01.cap -R "(eapol || (wlan.fc.type_subtype == 0x08)) && (wlan.bssid == <bssid>)" -w out.cap
    

    Note the brackets

    Output:

    #  BSSID              ESSID                     Encryption
    
       1  <removed>  <removed>      WPA (1 handshake)
    
    

    I purposly remove the bssid and ssids from all aps the once’s with didn’t return any ssid even though in the original cap file they where there

    [Reply]

  8.  
Leave a Reply

*Type the letter/number combination in the abvoe field before clicking submit.

*