In the past we have written a couple articles on using tshark to strip WPA capture files down to a specific ESSID or SSID but in some cases it can be more useful to strip the capture down by BSSID or MAC address of the WAP. Isolating packets by BSSID or WAP MAC address is useful in a scenario where a wireless deployment has numerous WAP’s and you have captured a specific SSID’s traffic from more than one WAP. Below is information on how to strip down a capture file based on BSSID and information on capture size before stripping the file down.
A while ago I wrote a short tutorial on how to strip down a wireless capture which contained a wpa handshake so that only eapol packets and beacon frames where left. I have since found a little bit better way to do it so I decided to make a new post. In the previous article I showed how to strip by wlan.mgt frames containing the mac address. The problem with this is that it strips out lots of other packets which some programs use to check for ESSID. I looked into the issue some more and found a way to strip just by essid.
I recently had a customer upload a WPA capture to our tools.question-defense.com server which failed immediately. This can happen from time to time and is for a variety of reasons Sometimes if captures does not contain all 4 eapol packets they will fail , and sometimes if a capture has lots of other wifi garbage in the .cap file it can confuse the cracking program. This last time was a new situation. After the fail I analyzed the cap file and determined that the essid was not present in the capture. This is absolutely crucial for the decrypting process. In this short article I will show how I determined the essid was not present and what I did about it.
I have had lots of people email me and ask if there is anyway to make it impossible for a attacker to recover your mac address from a capture file. If you are using one of our tools like the WPA Cracker in our tools section, you may be hesitant to upload a clients capture data because a skilled attacker could use the capture and the online Wiggle database to pinpoint your location assuming your area has been mapped by wardrivers. Although we run a secure site there is no way for you as the client to know this.
Earlier today I needed to find the quickest and easiest way to monitor all traffic to and from a specific device on my network. The goal was to see how much bandwidth based on a specific amount of time that the device was using. My initial hope was that I could configure port monitoring on my WRT54G running DD-WRT firmware however I quickly found out this is not an option. I eventually settled on adding a couple iptables commands that would send all traffic destined for or sourced from a specific IP address to another IP address. Follow the directions below to add the iptables commands to a router running DD-WRT firmware and then to capture the traffic on a computer running Wireshark.