Technology Insights

Tshark: Strip WPA Wireless Captures by ESSID with Tshark

A while ago I wrote a short tutorial on how to strip down a wireless capture which contained a wpa handshake so that only eapol packets and beacon frames where left. I have since found a little bit better way to do it so I decided to make a new post. In the previous article I showed how to strip by wlan.mgt frames containing the mac address. The problem with this is that it strips out lots of other packets which some programs use to check for ESSID.  I looked into the issue some more and found a way to strip just by essid.