Filter Wireless Network Captures By SSID Using TShark
It is very common when obtaining wireless network handshakes to end up with a huge capture(.cap or .pcap typically) file. Previously purehate wrote this article on filtering out SSID specific EAPOL packets from a capture file but if you wanted to keep any and all packets related to a specific SSID including data packets, beacon frames, etc. the below tshark command will accomplish that. This is very similar to the previous article but will provide more data for the user and still slim down a capture file if you had packets from multiple SSID’s.
Filter One SSID’s Packets From Wireless Network Capture:
So really all you need to do is make sure that tshark is installed which if you have Wireshark then tshark should already be installed. If you don’t have tshark installed then simply install Wireshark and you should be good to go. Next run the below command which takes a couple variables including capture file name, SSID, and output file name.
tshark -r wpa-capture.cap -R "wlan_mgt.ssid eq SSID" -w wpa-SSID.cap
The three items that you should change because they are specific to you include wpa-capture.cap which is the input file or the original wireless network capture, SSID which is the name of the wireless network you want to filter on, and wpa-SSID.cap which is whatever you want the output file to be named.
Doing the above before analyzing specific wireless network packets will make your life much easier!