Tshark: Strip WPA Wireless Captures by ESSID with Tshark

A while ago I wrote a short tutorial on how to strip down a wireless capture which contained a wpa handshake so that only eapol packets and beacon frames where left. I have since found a little bit better way to do it so I decided to make a new post. In the previous article I showed how to strip by wlan.mgt frames containing the mac address. The problem with this is that it strips out lots of other packets which some programs use to check for ESSID.  I looked into the issue some more and found a way to strip just by essid.


If you just want the command:

tshark -r <input file> -R "eapol || wlan_mgt.tag.interpretation eq <essid> || (wlan.fc.type_subtype==0x08 && wlan_mgt.ssid eq <essid>)" -w <output file>

Obviously you have to have tshark installed for this to work.

I also had a customer for our online wpa cracker server who was having trouble stripping a capture so I decided to whip up a quick shell script to help him out.

#!/bin/bash
echo "This script requires tshark"
echo
echo "Checking for tshark"
type tshark &>/dev/null || { echo "I require tshark but it's not installed.  Aborting." >&2; exit 1; }
echo "tshark found"
echo
echo "Moving on...."
echo
echo "Please the path to the capture (ex. /home/john/NETGEAR.cap)"
read cap_path
echo

while [ ! -f "$cap_path" ];do
        echo
        echo "File cannot be found or does not exist"
        echo
        echo "Please the path to the capture (ex. /home/john/NETGEAR.cap):"
        read cap_path
done
echo
echo "Please enter the ESSID (ex. NETGEAR)"
read essid

while [ -z "$essid" ]; do
        echo "You still didnt enter any data n00b"
        echo
        echo "Please enter the ESSID (ex. NETGEAR)"
        read essid

done
echo
echo "Stripping file...."
tshark -r $cap_path -R "eapol || wlan_mgt.tag.interpretation eq $essid || (wlan.fc.type_subtype==0x08 && wlan_mgt.ssid eq $essid)" -w stripped.cap
echo
echo "Your stripped file should be located in the current directory and named stripped.cap."

If you want to use this simply create a file called stripper.sh and paste this script into it.

Next make the script executable by issuing the command:

chmod 755 stripper.sh

Once you have done that simply run the script.

Example of script being run:

[root@dev-tools ~]# ./strip.sh
This script requires tshark

Checking for tshark
tshark found

Moving on....

Please the path to the capture (ex. /home/john/NETGEAR.cap)
/root/old.cap

Please enter the ESSID (ex. NETGEAR)
NEUF_A268

Stripping file....
Running as user "root" and group "root". This could be dangerous.

Your stripped file should be located in the current directory and named stripped.cap.
Share